VwGH - Ro 2021/04/0010
From GDPRhub
| VwGH - Ro 2021/04/0010 | |
|---|---|
 | |
| Court: | VwGH (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 4 GDPR Article 5 GDPR Article 6 GDPR Article 9 GDPR Article 9(2)(g) GDPR Article 22 GDPR Article 57 GDPR Article 58 GDPR § 1 (2) DSG § 25 AMSG § 29 AMSG § 31 AMSG § 4 AMSG |
| Decided: | 21.12.2023 |
| Published: | |
| Parties: | Public Employment Service Austria (respondent in the initial trial before the DSB) DSB (Austria) Minister of Justice (Austria) |
| National Case Number/Name: | Ro 2021/04/0010 |
| European Case Law Identifier: | ECLI:AT:VWGH:2023:RO2021040010.J00 |
| Appeal from: | BVwG (Austria) BVwG - W256 2235360-1 |
| Appeal to: | Not appealed |
| Original Language(s): | German |
| Original Source: | Rechtsinformationssystem des Bundes (RIS) (in German) |
| Initial Contributor: | Bernhard G. |
The Austrian Supreme Administrative Court held that the use of a calculation of the labour market opportunities of jobseekers could constitute an automated decision (Art. 22(1) GDPR). Further findings on the algorithm's decisiveness are required.
English Summary
Facts
The Public Employment Service (AMS) is a service provider under public law with its own legal personality, which is responsible for implementing the labour market policy of the federal government. In order to support workers in their (re-)integration into the labour market, it offers various services which are implemented by its counsellors.
In order to support counsellors in assessing the labour market opportunities of jobseekers, the AMS has developed a concept for calculating the labour market opportunities of jobseekers (AMAS). In concrete terms, AMAS uses an algorithm to automatically calculate the probability of currently registered customers being employed for a certain number of days within a certain period in the future. For this purpose, a so-called IC is calculated from the following data: age group, sex, Group of States, Education, Health impairment, Caring duties, professional group, pre-career, Regional labour market performance, Duration of the business case at the AMS. Based on the calculated IC, a classification is made into the following groups: Service clients with high labour market opportunities, care clients with low labour market opportunities, Counselling clients with medium labour market opportunities.
The results of the AMAS ought to be used in the guidance process and be a starting point for the counsellors to determine, together with the client, the optimal support strategy (subsidies and support services). The final decision on the assignment to a client group is always made by the counsellors.
Originally, the Data Protection Authority (DSB) initiated an ex officio investigation into the matter and concluded that, the AMS was prohibited from processing data with the help of the AMAS with effect from 1 January 2021, unless there is a suitable legal basis for the data processing. In the contested decision, the Austrian Federal Administrative Court held that the Public Employment Service could lawfully process personal data belonging to jobseekers according to Article 9(2)(g) GDPR as this was necessary in order to guarantee a well-functioning labour market and outlined in Austrian law.
Holding
The automated processing of the personal data of the jobseekers concerned (in AMAS) based on a mathematical-statistical program falls under the definition of "profiling" according to Art. 4(4) GDPR in accordance with the case law of the CJEU in C-634/21.
The automatied processing - in this case the determination a value, which determines the probability of integration into the labor market - is itself (already) to be regarded as an "automated decision" within the meaning of Art. 22 para. 1 GDPR, provided that this value significantly determines the allocation to one of the groups and thus has a legal effect on the jobseekers concerned or significantly affects them in a similar way. The fact, that the final decision on the group assignment of the jobseekers lies with the employees of the Public Employment Service, does not necessarily prevent the algorithm (AMAS) from being qualified as an automated decision within the meaning of Art. 22(1) GDPR [they could, indeed, still draw strongly upon the calculated value].
The fact that the employees undergo training and follow instructions to ensure they do not accept the result of the algorithm without questioning does not exclude the possibility that AMAS - as an automated decision - is ultimately decisive for this classification. The previous instance court will thus have to investigate the exact use of the value calculated with AMAS, in particular which other parameters are taken into account and to what extent, or which procedure is envisaged for the utilization of AMAS.
If the use of AMAS falls under the scope of Art. 22(1) GDPR (as will have to be decided by the previous instance court), it would be prohibited unless one of the exceptions listed in Art. 22(2) GDPR applies and the special requirements of Art. 22(3) and (4) GDPR are met.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Regarding
The Administrative Court, through the Chairman Senate President Dr. Kleiser, Councilor Dr. Mayr, court councilor Mag. Hainz-Sator and the court councilor Dr. Pürgy and Mag. Brandl as judges, with the participation of the secretary Mag. Vonier, on the appeal of the data protection authority against the decision of the Federal Administrative Court of December 18, 2020, Zl. W256 2235360-1/5E, concerning a data protection matter (participating party: Public Employment Service , represented by Brauneis Klauser Prändl Rechtsanwälte GmbH in 1010 Vienna, Bauernmarkt 2; other party: Federal Minister of Justice), rightly recognized:
saying
The contested finding is quashed due to illegality of the content.
Reason
1 1. The following undisputed facts can be seen from the contested finding:
2 The party involved (hereinafter: mP), regularly referred to in the proceedings before the administrative court as the “Austrian Labor Market Service”, is responsible for “implementing the federal labor market policy” in accordance with Section 1 Paragraph 1 of the Labor Market Service Act (AMSG) and is referred to as “a service company of public law with its own legal personality”. The participating party (hereinafter: mP), regularly referred to in the proceedings before the administrative court as the “Austrian Labor Market Service”, is responsible, according to paragraph one, paragraph one, of the Labor Market Service Act (AMSG), for “the implementation of the federal labor market policy” and is referred to as “a service company of public law with its own legal personality”.
3 In order to support workers in (re)integrating into the labor market, the mP offers various services. The detailed procedure of the consultants employed for this purpose is set out in the “Federal Guideline” of the Labor Market Service “Supporting the core process of workers”. This states that, during a consultation with job seekers, counselors must explain their wishes/expectations, their previous CV and the reasons for their unemployment. The job seeker's labor market opportunities should be addressed and discussed.
4 In order to support the consultants in assessing job seekers' labor market opportunities, the mP has been developing a concept for calculating labor market opportunities since 2016, the Labor Market Opportunities Assistance System (AMAS). This model should be mandatory for mP consultants from January 1, 2021.
5 This statistical model uses an algorithm to automatically calculate the degree of probability that job seekers will be employed for a certain number of days within a certain period of time in the future. Specifically, an “IC” is calculated based on the following data:
age group,
Gender,
group of states,
Education,
health impairment,
care obligations,
professional group,
pre-career,
regional labor market events as well
Duration of the business case at mP.
6 Based on the “IC”, job seekers are divided into the following three groups:
Service customers with job market opportunities are high
Care customers with labor market prospects low
Advice clients with medium labor market prospects.
7 The results of the AMAS should be used in the consultation process and be a starting point for the consultants to work with the clients to assess the respective potential and, if necessary, the obstacles to labor market integration. Based on this discussion, the optimal care strategy must be defined. If the job seeker expressly has a different assessment of the labor market opportunities than the consultants, this must be documented in the supervision agreement.
8 AMAS does not take into account criteria such as motivation, self-help potential of the customer, addiction, debts, housing situation, etc.
9 2. After the initiation of an ex officio examination procedure in accordance with Article 57 Paragraph 1 Letter h in conjunction with Article 58 Paragraph 1 Letter b and Paragraph 2 Letter a GDPR in conjunction with Section 22 Paragraph 1 DSG, the mP was notified by the appeal applicant Decision of August 16, 2020 the data processing in connection with the determination of labor market opportunities of job seekers with the help of the labor market opportunities After initiation of an ex officio examination procedure in accordance with Article 57, paragraph one, letter h, in conjunction with Article 58, paragraph one, letter b and paragraph 2, Litera a, GDPR in conjunction with paragraph 22, paragraph one, DSG, the mP was granted data processing by the applicant on August 16, 2020 in connection with the determination of labor market opportunities for job seekers with the help of the Labor Market Opportunities Assistance System (AMAS). prohibited with effect from January 1, 2021, “unless there is a suitable legal basis for data processing by this point in time.”
10 In summary, the appellant stated in her decision that data processing was carried out with the help of AMAS as part of the performance of the public tasks assigned to the mP in accordance with Section 1 Paragraph 1 AMSG. According to Section 1 Paragraph 2 DSG, it is necessary for an authority to base its data processing on a sufficiently specific legal authorization. The § 29 and § 31 para. 5 AMSG mentioned by the mP would only generally define the mP's goal and task fulfillment, but would not authorize data processing. The data processing in question involves profiling within the meaning of Art. 4 Z 4 GDPR, which creates “informational added value” to which express reference must be made in the law. The present data processing cannot be based on an appropriate legal basis. In addition, there is a case under Article 22 GDPR, namely an automated individual decision. It should be admitted that the final decision lies with the mP consultants due to internal guidelines. However, these internal instructions for action would not have any binding effect on the mP and would therefore not be subject to any verification controls. In addition, it cannot be ruled out that in individual cases the decision will be based exclusively on profiling. In summary, the appellant stated in her decision that data processing was carried out with the help of AMAS as part of the exercise of the data transferred to the mP in accordance with paragraph one, paragraph one, AMSG public tasks. According to paragraph one, paragraph 2, DSG, it is necessary for an authority to base its data processing on a sufficiently specific legal authorization. Paragraph 29 and Paragraph 31, Paragraph 5, AMSG mentioned by the mP would only generally define the goal and task fulfillment of the mP, but would not authorize data processing. The data processing in question is profiling within the meaning of Article 4, Paragraph 4, GDPR, which creates “informational added value” to which express reference must be made in the law. The present data processing cannot be based on an appropriate legal basis. In addition, there is a case under Article 22, GDPR, namely an automated individual decision. It should be admitted that the final decision lies with the mP consultants due to internal guidelines. However, these internal instructions for action would not have any binding effect on the mP and would therefore not be subject to any verification controls. In addition, it cannot be ruled out that in individual cases the decision will be based exclusively on profiling.
11 3. With the contested finding, the Federal Administrative Court (BVwG) accepted the mP's complaint against the appeal applicant's decision and annulled the contested decision without replacement. The appeal declared it admissible under one.
12 In addition to the findings already presented at the beginning, the BVwG also stated in its justification that the optimal support strategy would only be defined by the consultants on the basis of a support agreement after discussion with the customers. In order to ensure that the consultants would not accept the results of the algorithm without questioning, the mP not only provided the guidelines presented, but also provided appropriate instructions and carried out training.
13 In its legal assessment, the BVwG stated that in an examination procedure initiated ex officio, the applicant as the responsible supervisory authority has the power to order various remedial measures in the event of a violation of the GDPR being determined. The matter of the complaint procedure before the BVwG can only be the examination of the legality of the specific order made in connection with the violation based on the supervisory authority. In the present case, it can be assumed that the applicant for appeal issued the ban issued in the notice solely because there was a lack of a sufficient legal basis for the official action. The BVwG is denied a review of data processing that goes beyond the legality assessed in the contested decision.
14 Article 9 Paragraph 2 Letter h GDPR refers, according to its wording, to data processing for health-related purposes. In the present case, this provision should therefore not be used without further ado. According to its wording, Article 9, Paragraph 2, Litera h, GDPR refers to data processing for health-related purposes. In the present case, that provision cannot therefore be relied upon without further ado.
15 It follows from Article 6 Paragraph 1 Letter e GDPR and Article 9 Paragraph 2 Letter D GDPR that the processing of personal data can be lawful if the processing is for a sovereign or other task in the public interest or . in the case of processing special categories of personal data due to significant public interest. In this context, according to the provisions of the GDPR, it is irrelevant whether the person responsible is an authority or a private body and in which case Article 6, paragraph one, Litera e, GDPR or Article 9, paragraph 2, Litera d, GDPR follows that the processing of personal data can be lawful if the processing is necessary for a sovereign or other task in the public interest or, in the case of the processing of special categories of personal data, due to a significant public interest. In this context, according to the provisions of the GDPR, it is irrelevant whether the person responsible is an authority or a private body and in which form - sovereign or private - the person responsible may act. Rather, the decisive factor is whether a matter is in the public or significant public interest and whether legally regulated data processing is carried out. Art. 6 Para. 3 GDPR sets out the content requirements for an appropriate legal basis, which in connection with Recital 41 of the GDPR should be clear and precise and foreseeable for those subject to the law. In connection with Article 9 Paragraph 2 Letter g GDPR, it is also stipulated that the corresponding legal basis should provide for appropriate and specific measures to safeguard the fundamental rights and interests of the data subjects. Section 1 (2) DSG, BGBl. The provisions of Union law form the responsible party to take action if necessary. Rather, the decisive factor is whether a matter is in the public or significant public interest and whether legally regulated data processing is carried out. Article 6, paragraph 3, GDPR sets out the content requirements for an appropriate legal basis, which in connection with recital 41 of the GDPR should be clear and precise and foreseeable for those subject to the law. In connection with Article 9, Paragraph 2, Litera g, GDPR, it is additionally stipulated that the corresponding legal basis should provide for appropriate and specific measures to safeguard the fundamental rights and interests of the data subjects. Paragraph one, paragraph 2, DSG, Federal Law Gazette Part One, No. 165 from 1999, in the version of Federal Law Gazette Part One, No. 14 from 2019, does not provide anything else, provided that the data processing is carried out by the state authorities. The EU law provisions - Article 6 and Article 9 of the GDPR - would generally require a task in the significant public interest and - therefore not limited to sovereign activities - a sufficiently defined legal basis for data processing. In the present case, it can therefore remain an open question whether the mP carries out the data processing that is the subject of the proceedings in a sovereign or private law form. Rather, because the data processing in question also includes health data and thus special categories of data within the meaning of Art. 9 Para. 1 GDPR, what matters is whether the data processing in question takes place on an appropriate legal basis and is essential for the task of the mP public interest is necessary. require a sufficiently specific legal basis for data processing. In the present case, it can therefore remain an open question whether the mP carries out the data processing that is the subject of the proceedings in a sovereign or private law form. Rather, because the data processing in question also includes health data and thus special categories of data within the meaning of Article 9, paragraph one, GDPR, it depends on whether the data processing in question takes place on an appropriate legal basis and is essential for the mP's task public interest is necessary.
16 The mP is a service company under public law with its own legal personality, which is responsible for implementing the federal labor market policy. According to Section 29 Para. 1 AMSG, the mP must work towards bringing together the supply of labor and the demand for labor as completely, economically sensible and sustainably as possible in order to ensure the supply of labor to the economy and the employment of all people available on the labor market in the best possible way. In accordance with Section 29 Para. 2 AMSG, the mP is required to efficiently place suitable workers in jobs that, as far as possible, offer employment that corresponds to the job seeker's placement wishes, as well as the impact of circumstances that would hinder direct placement in this sense. to help overcome. The principles of thrift, economy and expediency must be observed and it must also be ensured that suitable support services are offered to groups of people who are particularly at risk of unemployment. The mP is a service company under public law with its own legal personality, which implementation of the federal labor market policy. According to paragraph 29, paragraph one, AMSG, the mP must work towards the most complete, economically sensible and sustainable combination of the labor supply and the labor demand in order to best secure the supply of the economy with labor and the employment of all people available on the labor market. In accordance with paragraph 29, paragraph 2, AMSG, the mP is required to efficiently place suitable workers in jobs that, if possible, offer employment that corresponds to the job seeker's placement wishes, as well as the impact of circumstances that would hinder direct placement in this sense to help overcome. The principles of thrift, economy and expediency should be observed and it should also be ensured that suitable support services are offered to groups of people who are particularly at risk of unemployment.
17 § 25 para. 2 AMSG expressly grants mP the authorization to process the personal data involved in the proceedings, provided that these are an essential prerequisite for fulfilling the statutory task. The task of ensuring an orderly and well-functioning labor market, which is legally assigned to the mP by Section 29 AMSG, is undoubtedly one of considerable public interest within the meaning of Art expressly authorizes the processing of the personal data involved in the proceedings, provided that these are an essential prerequisite for fulfilling the statutory task. The task of ensuring an orderly and well-functioning labor market, which is legally assigned to the MP by Paragraph 29, AMSG, is undoubtedly one of considerable public interest within the meaning of Article 9, Paragraph 2, Litera g, GDPR.
18 In addition, it is undisputed that it is also necessary to take into account the personal characteristics of job seekers in combination with the general labor market situation and the resulting employment opportunities for job seekers on the labor market in order to achieve the task of optimally supplying the economy with workers and employing job seekers to ensure that we can meet the requirements in the best possible way. The relevance of the personal data included in the data processing for the purpose of the procedure cannot be disputed. There are therefore no concerns that the MP may use the personal data at issue in the proceedings to “ensure proper labor market policy”. Against the background of the requirements of the GDPR and the DSG, Section 25 Paragraph 10 AMSG takes related comprehensive, appropriate technical and organizational measures to ensure processing that complies with the principles of the DSGVO and the DSG. In addition to the measures mentioned in recital 78, Section 25 (10) AMSG provides for additional specific requirements for ensuring data security. In addition, it is undisputed that it is also necessary to take into account the personal characteristics of the job seekers in combination with the general labor market situation and the resulting application opportunities of job seekers on the labor market in order to be able to fulfill the task of optimally supplying the economy with workers and securing the employment of job seekers in the best possible way. The relevance of the personal data included in the data processing for the purpose of the procedure cannot be disputed. There are therefore no concerns that the MP may use the personal data at issue in the proceedings to “ensure proper labor market policy”. Paragraph 25, Paragraph 10, AMSG takes, against the background of the requirements of the GDPR and the DSG, comprehensive, appropriate technical and organizational measures to ensure processing that complies with the principles of the DSGVO and the DSG. In addition to the measures mentioned in recital 78, paragraph 25, paragraph 10, AMSG provides for additional specific requirements for ensuring data security.
19 The appeal applicant does not question the fundamental right of the mP to carry out an assessment of the labor market opportunities of job seekers based on certain personal data. An “informational added value” assumed by the appeal applicant of an assessment of labor market opportunities based on the same personal data - whether the assessment is not automated or based on profiling – cannot be recognized from a data protection perspective because every assessment is also based on the weighting given by the evaluator.
20 In addition, a different assessment of the lawfulness of data processing cannot be derived from Article 6 Paragraph 1 Letter e or Article 9 Paragraph 2 Letter D GDPR because these provisions do not distinguish between automated and non-automated processing would only focus generally on the concept of processing. Art. 4 Z 1 GDPR, in turn, uses an exemplary list to define the processes there in connection with personal data as processing, without distinguishing whether this is carried out with or without the help of automated processes. The fact that Art. 4 Z 4 GDPR specifically refers to exclusively automated processing as profiling highlights this important application and makes it clear that this form of processing falls within the scope of the GDPR and must comply with the general criteria there. In addition, a different assessment can be made the lawfulness of data processing relating to Article 6, paragraph one, Litera e, or Article 9, paragraph 2, Litera d, GDPR cannot be derived because these provisions would not distinguish between automated and non-automated processing, but only generally refer to the term would stop processing. Article 4, paragraph one, GDPR, in turn, uses an exemplary list to define the processes there in connection with personal data as processing, without distinguishing whether this is carried out with or without the help of automated processes. The fact that Article 4, Paragraph 4, GDPR specifically refers to exclusively automated processing as profiling highlights this important application and makes it clear that this form of processing falls within the scope of the GDPR and must comply with the general criteria therein.
21 Art. 22 GDPR, in turn, states that a data subject should have the right not to be subject to a decision to evaluate aspects concerning him or her that would be based solely on automated processing and that would have legal effects for the data subject or in a similar way significantly affected. Art. 22 GDPR is therefore only aimed at decisions that would be made without any human intervention. However, this provision does not limit profiling as such in its legal admissibility as part of decision support. As stated, the algorithm in question and the labor market opportunities calculated from it should only be used as a source of information for a decision by the mP consultants. The ultimate decision about the job seekers' labor market opportunities should remain with the consultants. In this regard, the mP has internal guidelines and instructions and training courses are carried out. The guidelines issued in accordance with Section 4 Paragraph 2 Z 2 AMSG are binding for all organs and institutions for the fulfillment of the mP's tasks. The Federal Guideline “Core Process of Supporting Workers” specifies the exact process in relation to the assessment of labor market opportunities and expressly states that the mP consultants have to discuss the calculated labor market opportunities with the person concerned in a consultation, regardless of the person concerned’s contrary view document and ultimately decide on it. In view of these clear requirements, there are no reasons to assume a completely automated decision within the meaning of Article 22 GDPR. With the appeal applicant's argument that, due to the shortened consultation times, it cannot be ruled out that a completely automated decision would ultimately be made because the mP's consultants would routinely adopt the value calculated by AMAS, the applicant overlooks the fact that the assessment of whether data processing should be carried out Article 5 Paragraph 1 Letter a of the GDPR is lawful in itself and must be distinguished from the assessment of whether the controller ensures the lawfulness of such data processing. When assessing the lawfulness of data processing, the actual processing process and possible violations by third parties should not be taken into account. Whether the mP ultimately adequately fulfills its obligation under Article 5 Paragraph 1 Letter f of the GDPR and excludes unauthorized use of the data processing that is the subject of the proceedings is not the subject of the complaint procedure that is the subject of the proceedings. Ultimately, it should be noted in this context that the applicant for the appeal itself assumed in the contested decision that the mP had taken appropriate measures “internal to the organization” to protect job seekers and thus appropriately excluded any abusive use of data processing by its employees. Article 22, GDPR in turn determines this , that a data subject should have the right not to be subject to a decision assessing aspects concerning him or her which would be based solely on automated processing and which would have legal effects on the data subject or similarly significantly affect him or her. Article 22, GDPR therefore only targets decisions that would be made without any human intervention. However, this provision does not limit profiling as such in its legal admissibility as part of decision support. As stated, the algorithm in question and the labor market opportunities calculated from it should only be used as a source of information for a decision by the mP consultants. The ultimate decision about the job seekers' labor market opportunities should remain with the consultants. In this regard, the mP has internal guidelines and instructions and training courses are carried out. The guidelines issued in accordance with paragraph 4, paragraph 2, number 2, AMSG are binding for all bodies and institutions for the fulfillment of the mP's tasks. The Federal Guideline “Core Process of Supporting Workers” specifies the exact process in relation to the assessment of labor market opportunities and expressly states that the mP consultants have to discuss the calculated labor market opportunities with the person concerned in a consultation, regardless of the person concerned’s contrary view document and ultimately decide on it. In view of these clear requirements, there are no reasons to assume a completely automated decision within the meaning of Article 22, GDPR. With the appeal applicant's argument that, due to the shortened consultation times, it cannot be ruled out that a completely automated decision would ultimately be made because the mP's consultants would routinely adopt the value calculated by AMAS, the applicant overlooks the fact that the assessment of whether data processing should be carried out Article 5, paragraph one, Litera a, GDPR is lawful in itself and must be distinguished from the assessment of whether the controller ensures the lawfulness of such data processing. When assessing the lawfulness of data processing, the actual processing process and possible violations by third parties should not be taken into account. Whether the mP ultimately adequately fulfills its obligation under Article 5, paragraph one, letter f, GDPR and excludes unauthorized use of the data processing at issue is not the subject of the complaint procedure at issue. Ultimately, it should be noted in this context that the applicant for the appeal itself assumed in the contested decision that the mP had taken appropriate measures “internal to the organization” to protect job seekers and thus appropriately excluded any unlawful use of data processing by its employees.
22 In summary, it should be noted that the mP is fundamentally entitled to carry out an assessment of personal data in accordance with Section 25 Paragraph 1 AMSG. It cannot be assumed that the mere use of automated processing results in “informational added value”. The case of a decision based solely on automated data processing, which is frowned upon in Art. 22 GDPR, does not apply here because, in summary, it should be noted that the mP is fundamentally entitled to carry out an assessment of personal data in accordance with paragraph 25, paragraph one, AMSG. It cannot be assumed that the mere use of automated processing results in “informational added value”. The case of a decision based solely on automated data processing, frowned upon in Article 22, GDPR, does not apply here because - as shown - the final decision lies with the consultants. Whether the mP has adequately fulfilled its obligation under the GDPR to prevent unauthorized use by taking appropriate measures is not the subject of the present procedure, which is limited to the assessment of legality. Since the present data processing can rightly be based on Section 25 Paragraph 1 AMSG, the contested decision should be repealed for lack of a violation of the principle of lawful data processing set out in Article 5 Paragraph 1 Letter a of the GDPR. the final decision rests with the consultants. Whether the mP has adequately fulfilled its obligation under the GDPR to prevent unauthorized use by taking appropriate measures is not the subject of the present procedure, which is limited to the assessment of legality. Since the present data processing can rightly be based on paragraph 25, paragraph one, AMSG, the contested decision should be repealed for lack of a violation of the principle of lawful data processing normed in Article 5, paragraph one, litera a, GDPR.
23 The appeal is admissible because (among other things) there is a lack of supreme court case law on Articles 6, 9 and 22 of the GDPR in connection with profiling. The appeal is admissible because (among other things) there is a supreme court case law on Articles 6, 9 and 22 GDPR in connection with profiling are missing.
24 4. This decision is the subject of an ordinary appeal by the authority concerned before the administrative court.
25 The mP submitted an appeal in the preliminary proceedings before the BVwG.
5. The Administrative Court considered:
26 The appeal refers to the statements of the BVwG regarding the admissibility of the appeal and to the fact that there is a lack of supreme court case law on the requirement for certainty of legal provisions against the background of the GDPR and on the question of the interpretation of the criterion of “similar significant impairment” within the meaning of Article 22 GDPR. The appeal refers to the BVwG's statements regarding the admissibility of the appeal and to the fact that there is a lack of supreme court case law on the requirement for certainty of legal provisions against the background of the GDPR and on the question of the interpretation of the criterion of "similar significant impairment" within the meaning of Article 22, GDPR.
27 The appeal is admissible for these reasons and is ultimately justified.
28 5.1. The legal basis:
29 5.1.1. The relevant case-by-case recitals and provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (Data Protection -Basic Regulation - GDPR), OJ L 119 of May 4, 2016, p. 1, read as follows:
"(10) In order to ensure a uniform and high level of data protection for natural persons and to remove barriers to the movement of personal data within the Union, the level of protection of the rights and freedoms of natural persons when processing those data should be equivalent in all Member States . The rules protecting the fundamental rights and freedoms of natural persons when processing personal data should be applied evenly and uniformly across the Union. As regards the processing of personal data for the fulfillment of a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Member States should be able to adopt national provisions ensuring the application of the rules maintained or introduced as specified in this Regulation. In conjunction with the general and horizontal data protection legislation implementing Directive 95/46/EC, Member States have several sector-specific legislation in areas requiring more specific provisions. This Regulation also provides Member States with flexibility to specify their rules, including for the processing of special categories of personal data (hereinafter “sensitive data”). In this regard, this Regulation does not exclude the laws of Member States defining the circumstances of specific processing situations, including a more precise definition of the conditions under which the processing of personal data is lawful.
(...)
(40) In order for the processing to be lawful, personal data must be processed with the consent of the data subject or on another lawful legal basis arising from this Regulation or, whenever referred to in this Regulation, other Union law or law of the Member States, including on the basis that they are necessary for the fulfillment of the legal obligation to which the controller is subject, or for the performance of a contract to which the data subject is a party, or for the implementation of pre-contractual measures at the data subject's request is required.
(41) Where reference is made in this Regulation to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a Parliament; This does not affect requirements in accordance with the constitutional order of the Member State concerned. However, the relevant legal basis or legislative measure should be clear and precise and its application should be foreseeable to those subject to the law, in accordance with the case law of the Court of Justice of the European Union (hereinafter 'Court of Justice') and the European Court of Human Rights.
(...)
(45) If the processing is carried out by the controller on the basis of a legal obligation incumbent on him or if the processing is necessary to carry out a task in the public interest or in the exercise of official authority, there must be a basis for this in Union law or in the law of a Member State. This regulation does not require a specific law for each individual processing. A law as a basis for several processing operations may be sufficient if the processing is carried out on the basis of a legal obligation incumbent on the controller or if the processing is necessary to carry out a task in the public interest or in the exercise of official authority. Likewise, the purposes for which the data may be processed should be regulated in Union law or the law of the Member States. This law could also clarify the general conditions of this Regulation governing the lawfulness of the processing of personal data and specify how the controller is to be determined, what type of personal data are processed, which persons are concerned, which entities the personal data are to be used Data will be disclosed, for what purposes and for how long it may be stored and what other measures will be taken to ensure that the processing is lawful and fair. Likewise, it should be regulated in Union law or the law of the Member States whether the person responsible for carrying out a task carried out in the public interest or in the exercise of official authority is a public authority or another natural person covered by public law legal person or, where justified by the public interest, including health purposes, such as public health or social security or the administration of health care benefits, a natural or legal person governed by private law, such as a professional association, should act.
(...)
(71) The data subject should have the right not to be subject to a decision - which may include a measure - assessing personal aspects concerning him or her which is based solely on automated processing and which produces legal effects for the data subject or which involves him or her similarly significantly impacted, such as automatic rejection of an online loan application or online hiring process without any human intervention. Such processing also includes 'profiling', which consists of any form of automated processing of personal data evaluating personal aspects relating to a natural person, in particular to analyze or predict aspects relating to work performance, economic situation, health, personal preferences or Interests, reliability or behavior, whereabouts or change of location of the person concerned, insofar as this has legal effects for the person concerned or significantly affects them in a similar way. However, decision-making based on such processing, including profiling, should be permitted where expressly permitted by Union law or the law of the Member States to which the controller is subject, including in order to be consistent with the rules, standards and Recommendations of the institutions of the [European] Union or national supervisory bodies to monitor and prevent fraud and tax evasion and to ensure the security and reliability of a service provided by the controller, or when necessary for the conclusion or performance of a contract between the data subject and is required by a person responsible or if the data subject has given their express consent to this. In any case, such processing should be accompanied by appropriate safeguards, including specific information to the data subject and the right to direct human intervention, to express one's own point of view, to have the decision made following an appropriate assessment explained, and the right to challenge the same Decision. This measure should not affect any child. In order to ensure fair and transparent processing towards the data subject, taking into account the specific circumstances and framework in which the personal data are processed, the data controller should use appropriate mathematical or statistical methods for profiling, adopt technical and organizational measures , which appropriately ensure, in particular, that factors giving rise to inaccurate personal data are corrected and the risk of errors is minimized, and secure personal data in a manner that addresses potential threats to the interests and rights of the data subject is taken into account and, among other things, prevent discriminatory effects or processing that has such an effect against natural persons on the basis of race, ethnic origin, political opinion, religion or belief, trade union membership, genetic disposition or state of health and sexual orientation has. Automated decision-making and profiling based on special categories of personal data should only be permitted under certain conditions.
(...)
Article 4
Definitions
(1) For the purposes of this Regulation, the term means:
(...)
4. 'Profiling' any type of automated processing of personal data, which consists in using these personal data to evaluate certain personal aspects relating to a natural person, in particular aspects relating to work performance, economic situation, health to analyze or predict that natural person's personal preferences, interests, reliability, behavior, location or movements;
(...)
Article 5
Principles for processing personal data
(1) Personal data must
a) processed lawfully, fairly and in a manner that is understandable to the data subject (“lawfulness, fair processing, transparency”);
(...)
c) be appropriate and relevant to the purpose and limited to what is necessary for the purposes of the processing ('data minimization');
(...)
Article 6
Lawfulness of processing
(1) Processing is only lawful if at least one of the following conditions is met:
(...)
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(...)
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(...)
2. Member States may maintain or introduce more specific provisions to adapt the application of the rules of this Regulation in relation to processing to comply with points (c) and (e) of paragraph 1, by defining more precisely specific processing requirements and other measures to ensure lawful processing and to ensure fair processing, including for other specific processing situations referred to in Chapter IX. 2. Member States may maintain more specific provisions adapting the application of the rules of this Regulation in relation to processing to comply with points (c) and (e) of paragraph 1 or introduce by specifying more precisely specific processing requirements and other measures to ensure lawful and fair processing, including for other special processing situations in accordance with Chapter IX.
(3) The legal basis for the processing operations referred to in paragraph 1 letters c and e is determined by
a) Union law or
b) the law of the Member States to which the controller is subject.
The purpose of the processing must be set out in that legal basis or, in relation to the processing referred to in point (e) of paragraph 1, be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This legal basis may contain specific provisions adapting the application of the rules of this Regulation, including provisions on the general conditions governing the lawfulness of the processing carried out by the controller, the types of data processed, the persons concerned, and the entities to which they are subject and the purposes for which the personal data may be disclosed, the purpose limitation they are subject to, how long they may be stored and the processing operations and procedures that may be used, including measures to ensure lawful and fair processing, such as those for others special processing situations in accordance with Chapter IX. Union or Member State law must pursue an objective of public interest and be proportionate to the legitimate purpose pursued. procedures may be applied, including measures to ensure lawful and fair processing, such as those for other purposes special processing situations according to Chapter Roman IX. Union law or the law of the Member States must pursue an objective in the public interest and be proportionate to the legitimate aim pursued.
(4) Where the processing for a purpose other than that for which the personal data were collected is not based on the consent of the data subject or on a Union or Member State law which, in a democratic society, is a necessary and proportionate measure to protection of the objectives referred to in Article 23(1), the controller shall take into account, inter alia, to determine whether processing for another purpose is compatible with that for which the personal data were originally collected
a) any connection between the purposes for which the personal data were collected and the purposes of the intended further processing,
b) the context in which the personal data was collected, in particular with regard to the relationship between the data subjects and the person responsible,
c) the nature of the personal data, in particular whether special categories of personal data are processed in accordance with Article 9 or whether personal data relating to criminal convictions and offenses are processed in accordance with Article 10,
d) the possible consequences of the intended further processing for the data subjects,
e) the existence of appropriate safeguards, which may include encryption or pseudonymization.
(...)
Article 9
Processing of special categories of personal data
(1) The processing of personal data revealing racial and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health data or data relating to sexual life or the sexual orientation of a natural person is prohibited.
(2) Paragraph 1 does not apply in the following cases:
(...)
g) The processing is carried out on the basis of Union law or the law of a Member State which is proportionate to the objective pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject necessary for reasons of significant public interest,
h) the processing is for the purposes of preventive health care or occupational medicine, for assessing the employee's ability to work, for medical diagnostics, for health or social care or treatment or for the administration of health or social systems and services on the required on the basis of Union law or the law of a Member State or pursuant to a contract with a health professional and subject to the conditions and guarantees referred to in paragraph 3,
(...)
3. The personal data referred to in paragraph 1 may be processed for the purposes referred to in point (h) of paragraph 2 if those data are processed by or under the responsibility of professional staff and such professional staff are processed in accordance with Union law or the law of a Member State or the rules of national competent authorities bodies are subject to professional secrecy, or if the processing is carried out by another person who is also subject to an obligation of confidentiality under Union law or the law of a Member State or the rules of national competent authorities.
4. Member States may introduce or maintain additional conditions, including restrictions, as far as the processing of genetic, biometric or health data is concerned.
(...)
Article 22
Automated decisions in individual cases including profiling
(1) The data subject has the right not to be subject to a decision based solely on automated processing - including profiling - which has legal effects on him or her or similarly significantly affects him or her.
(2) Paragraph 1 does not apply if the decision
a) is necessary for the conclusion or performance of a contract between the data subject and the person responsible,
b) is permitted by Union or Member State law to which the controller is subject and such law contains appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject or
c) is carried out with the express consent of the data subject.
(3) In the cases referred to in paragraph 2 letters a and c, the controller shall take appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject, including at least the right to obtain human intervention on the part of the controller Present your own point of view and appeal against the decision.
4. Decisions under paragraph 2 shall not be based on special categories of personal data referred to in Article 9(1), unless Article 9(2)(a) or (g) applies and appropriate measures have been taken to protect the rights and freedoms and legitimate interests of the data subject .”
30 5.1.2. § 1 of the Federal Act on the Protection of Natural Persons in the Processing of Personal Data (Data Protection Act, paragraph one, of the Federal Act on the Protection of Natural Persons in the Processing of Personal Data (Data Protection Act - DSG), Federal Law Gazette I No. 165/1999 as amended by Federal Law Gazette I No. 51 /2012, excerpt reads: DSG), Federal Law Gazette Part One, No. 165 from 1999, in the version Federal Law Gazette Part One, No. 51 from 2012, reads in excerpt:
“Article 1 (Constitutional provision)
Basic right to data protection
§ 1. Paragraph one, (1) Everyone has the right to confidentiality of personal data concerning them, particularly with regard to respect for their private and family life, to the extent that there is a legitimate interest in doing so. The existence of such an interest is excluded if data is not accessible to a confidentiality claim due to its general availability or because it cannot be traced back to the data subject.
(2) If the use of personal data is not in the vital interest of the person concerned or with his or her consent, restrictions on the right to secrecy are only permissible to protect the overriding legitimate interests of another, and in the event of intervention by a state authority only on the basis of laws, which are necessary for the reasons stated in Article 8 Paragraph 2 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210/1958. Such laws may only provide for the use of data that are particularly worthy of protection in order to protect important public interests and at the same time must establish appropriate guarantees to protect the confidentiality interests of those affected. Even in the case of permissible restrictions, the interference with the fundamental right may only be carried out in the mildest manner that achieves the desired goal. (2) If the use of personal data is not in the vital interest of the person concerned or with his or her consent, restrictions on the right to Secrecy is only permissible to protect the overriding legitimate interests of another, and in the case of interventions by a state authority only on the basis of laws arising from the provisions of Article 8, paragraph 2, of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Federal Law Gazette No. 210 for reasons mentioned in 1958 are necessary. Such laws may only provide for the use of data that are particularly worthy of protection in order to protect important public interests and at the same time must establish appropriate guarantees to protect the confidentiality interests of those affected. Even in the case of permissible restrictions, the interference with the fundamental right may only be carried out in the mildest way that achieves the desired goal.
(...)"
31 5.1.3. The relevant provisions of the Federal Law on the Labor Market Service (Labor Market Service Act - AMSG), Federal Law Gazette No. 313/1994, namely § 1, § 25 and § 27 as amended by Federal Law Gazette I No. 32/2018, § 29 as amended by Federal Law Gazette I No. 3/2013, § 31 as amended by BGBl. I No. 90/2009, § 32 as amended by BGBl. I No. 71/2005 and § 38c as amended by BGBl 1994, namely paragraph one, paragraph 25, and paragraph 27, in the version of the Federal Law Gazette Part One, No. 32 from 2018, Paragraph 29, in the version of the Federal Law Gazette Part One, No. 3 from 2013, Paragraph 31, in the version of the Federal Law Gazette Part One, No. 90 from 2009, paragraph 32, in the version of the Federal Law Gazette Part One, No. 71 from 2005, and paragraph 38 c, in the version of the Federal Law Gazette Part One, No. 77 from 2004, are excerpts :
“Labor market service
§ 1. Paragraph one, (1) The implementation of the federal labor market policy is the responsibility of the 'Labor Market Service'. The employment service is a service company under public law with its own legal personality.
(...)
Data processing
§ 25. Paragraph 25, (1) The employment service, the Federal Administrative Court and the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection are authorized to process personal data within the meaning of the Data Protection Act, Federal Law Gazette I No. 165/1999, to the extent that these are an essential prerequisite for fulfilling legal tasks. The types of data in question are: (1) The Labor Market Service, the Federal Administrative Court and the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection are authorized to process personal data within the meaning of the Data Protection Act, Federal Law Gazette Part One, No. 165 from 1999 , as these are an essential prerequisite for fulfilling legal tasks. The types of data in question are:
(...)
(2) The data processed by the labor market service or the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection in accordance with paragraph 1, with the exception of health data in accordance with paragraph 1 item 4, may be passed on to other authorities, courts, social security institutions and the Austrian Federal Statistical Institute Methods of automated data processing are disclosed to the extent that the corresponding data is an essential prerequisite for the execution of the respective legally assigned tasks. Other authorities, courts and social insurance providers may disclose data processed by them in accordance with paragraph 1, with the exception of health data in accordance with paragraph 1 item 4, to the employment service and the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection by means of automated data processing , insofar as this data is an essential prerequisite for the execution of the tasks legally assigned to the employment service and the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection. Data transmitted by the social insurance providers in accordance with paragraph 1 item 9 may be processed personally by the labor market service and the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection for the purposes of the sustainable labor market integration of this group of people. (2) The data transmitted by the labor market service or the Federal Ministry of Labor, Social, health and consumer protection data processed in accordance with paragraph one, with the exception of health data in accordance with paragraph one, number 4, may be disclosed to other authorities, courts, social insurance institutions and the Austrian Federal Statistical Institute by means of automated data processing, provided that the relevant data processing is carried out Data is an essential prerequisite for the execution of the respective legally assigned tasks. Other authorities, courts and social security institutions may disclose the data they process in accordance with paragraph one, with the exception of health data in accordance with paragraph one, number 4, to the employment service and the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection by means of automated data processing insofar as this data is an essential prerequisite for the execution of the tasks legally assigned to the Labor Market Service and the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection. Data transmitted by the social insurance providers in accordance with paragraph one, number 9, may be processed personally by the labor market service and the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection for the purposes of the sustainable labor market integration of this group of people.
(...)
(4) The data processed by the employment service in accordance with paragraph 1 may be sent to the Bundesrechenzentrum GmbH and to institutions to which the tasks of the employment service are assigned (Section 30 paragraph 3 and Section 32 paragraph 3), as part of the services to be provided by them Methods of automated data processing can be transmitted. (4) The data processed by the employment service in accordance with paragraph one may be sent to the Federal Computing Center GmbH and to institutions to which the tasks of the employment service are assigned (paragraph 30, paragraph 3 and paragraph 32, paragraph 3), in As part of the services to be provided by them, they are transmitted by means of automated data processing.
(5) The labor market service and the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection may transmit the data they process in accordance with paragraph 1, with the exception of health data in accordance with paragraph 1 item 4, to authorized legal entities by means of automated data processing, provided that corresponding data is an indispensable prerequisite for the fulfillment of a research contract awarded to assess the services, aid and other financial benefits of the employment service. For scientific and statistical studies that are in the public interest, the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection and the Labor Market Service may use the necessary data in accordance with paragraph 1 (except Z 1 lit. a and e to h), linked to the encrypted bPK AS , to the Austrian Federal Statistical Institute for the purpose of merging with indirectly personal data from other authorities or social insurance institutions or data on the working population available to the Federal Institute. These other authorities or social insurance providers may also transmit processed data from their own state area of activity, linked to the encrypted bPK AS, to the Federal Financial Supervisory Authority in accordance with legal regulations. A return transfer of merged data or the possibility of restoring a direct personal connection is not permitted. The Federal Institute prepares the scientific or statistical evaluations after being commissioned by the Federal Minister of Labor, Social Affairs, Health and Consumer Protection. The Federal Institute provides its services in accordance with this Federal Law against reimbursement of costs in accordance with Section 32 Paragraph 4 Item 2 of the Federal Statistics Act 2000. The combined data must be deleted as soon as they are no longer required for the purpose of the investigation, at the latest after three years. (5) The Labor Market Service and the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection may transmit the data they process in accordance with paragraph one, with the exception of health data in accordance with paragraph one, number 4, to authorized legal entities by means of automated data processing, provided that the corresponding data are an indispensable prerequisite for the fulfillment of a research contract awarded to assess the services, aid and other financial benefits of the employment service. For scientific and statistical studies that are in the public interest, the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection and the Labor Market Service may use the data required for this in accordance with paragraph one (except number one, litera a, and e to h), linked to the encrypted bPK AS, the Federal Statistical Institute Austria for the purpose of merging with indirect personal data from other authorities or social insurance institutions or data from the working population available at the Federal Institute. These other authorities or social insurance providers may also transmit processed data from their own state area of activity, linked to the encrypted bPK AS, to the Federal Financial Supervisory Authority in accordance with legal regulations. A return transfer of merged data or the possibility of restoring a direct personal connection is not permitted. The Federal Institute prepares the scientific or statistical evaluations after being commissioned by the Federal Minister of Labor, Social Affairs, Health and Consumer Protection. The Federal Institute provides its services in accordance with this Federal Law against reimbursement of costs in accordance with Section 32, Paragraph 4, Number 2 of the Federal Statistics Act 2000. The combined data must be deleted as soon as they are no longer required for the purpose of the investigation, at the latest after three years.
(6) The Austrian Federal Statistical Institute may process employer master data in accordance with Paragraph 1 Item 6 and data on training in accordance with Paragraph 1 Item 2 lit. b and Item 7 lit. b to the Labor Market Service and the Federal Ministry of Labor, Social Affairs and Health and consumer protection by means of automated data processing, insofar as this data constitutes an essential prerequisite for the purposes of scientific or labor market statistical studies that fall within its legal scope and do not have any personal results as their aim (§ 7 DSG). (6) The Austrian Federal Statistical Institute may master data of employers processed by it in accordance with paragraph one, number 6 and data on training in accordance with paragraph one, number 2, letter b and number 7, letter b, the labor market service and the Federal Ministry of Labor, Social Affairs, Health and Consumer Protection by means of automated data processing disclose to the extent that this data is an essential prerequisite for the purposes of scientific or labor market statistical studies that fall within their legal scope and do not aim to produce personal results (Section 7, DSG).
(7) If this is necessary for the fulfillment of the statutory tasks, health data (paragraph 1 no. 4) may be disclosed by the labor market service to the responsible social insurance institutions, the Ministry of Social Affairs, the responsible social assistance institutions and institutions to which the tasks of the labor market service are assigned ( § 30 para. 3 and § 32 para. 3) and may be disclosed by them to the employment service. (7) If this is necessary for the fulfillment of the statutory tasks, health data (paragraph one, number 4) may be disclosed by the employment service to the the responsible social security institutions, the Ministry of Social Affairs Service, the responsible social assistance institutions and institutions to which tasks of the labor market service have been assigned (section 30, paragraph 3 and paragraph 32, paragraph 3) and by them to the labor market service.
(8) Employers may only disclose data in accordance with paragraph 1 that is required to establish an employment relationship and assess the professional suitability of job seekers. Health data may not be disclosed to employers. (8) Employers may only disclose data in accordance with paragraph one that is required to establish an employment relationship and assess the job seekers' professional suitability. Health data may not be disclosed to employers.
(9) The data in accordance with paragraph 1 must be retained for seven years after the end of the respective business transaction. The retention period is extended for periods during which the data is still required to assert, exercise or defend legal claims or other legal regulations stipulate longer periods. For economic and technical reasons, the deletion of data should be concentrated on one or two dates per year. Until then, there is no right to early deletion. (9) The data in accordance with paragraph one must be retained for seven years after the end of the respective business transaction. The retention period is extended for periods during which the data is still required to assert, exercise or defend legal claims or other legal regulations stipulate longer periods. For economic and technical reasons, the deletion of data should be concentrated on one or two dates per year. Until then, there is no right to early deletion.
(10) The employment service has taken sufficient precautions to ensure data security within the meaning of Articles 24, 25 and 32 of Regulation (EU) No. 2016/679 on the protection of natural persons during processing, taking into account economic justification and the state of the art of personal data, the free movement of data and the repeal of Directive 95/46/EC (General Data Protection Regulation), OJ No. L 119 of May 4, 2016, p. 1, (hereinafter: GDPR) and Section 6 of the GDPR. In particular, recording or changing personal data is only permitted by the responsible organizational units (employees). When personal data is transmitted to third parties, technical or organizational measures must be taken to ensure that only the intended recipients have access to the data. Access and reading rights must be designed according to the tasks (roles) of the respective organizational units and employees. Access to personal data and any transmission of health data must be logged. Log data may not be used for personal purposes unless this is necessary to enforce or defend legally asserted claims, to ensure the lawful use of data processing or for technical reasons. (10) The employment service has taken sufficient precautions, taking into account economic justification and the state of the art for ensuring data security within the meaning of Articles 24, 25 and 32 of Regulation (EU) No. 2016/679 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (data protection -Basic Regulation), OJ No. L 119 of May 4, 2016, p. 1, (hereinafter: GDPR) and paragraph 6, DSG. In particular, recording or changing personal data is only permitted by the responsible organizational units (employees). When personal data is transmitted to third parties, technical or organizational measures must be taken to ensure that only the intended recipients have access to the data. Access and reading rights must be designed according to the tasks (roles) of the respective organizational units and employees. Access to personal data and any transmission of health data must be logged. Log data may not be used for personal purposes unless this is necessary to enforce or defend legally asserted claims, to ensure the lawful use of data processing or for technical reasons.
(11) The data processing to be carried out on the basis of paragraphs 1 to 10, § 69 AlVG and §§ 27 and 27a AuslBG meet the requirements of Article 35 paragraph 10 GDPR for the loss of data protection (11) The data processing based on the Paragraphs one to 10, paragraph 69, AlVG and paragraphs 27 and 27a AuslBG meet the requirements of Article 35, paragraph 10, GDPR for the omission of the data protection impact assessment.
(...)
Obligation of confidentiality
§ 27. Paragraph 27, (1) Unless otherwise provided by law, the bodies of the employment service are obliged to maintain secrecy about all facts that become known to them in the course of their official activities, the secrecy of which is in the interest of maintaining public peace, order and security comprehensive national defense, foreign relations, in the economic interest of the employment service, in preparation for a decision or in the overriding interest of the parties. The responsible superior must release this obligation at the request of a court or an administrative authority if this is in the interest of justice or other public interest.
(2) The obligation of confidentiality in accordance with paragraph 1 also applies after leaving the position and after termination of the employment relationship. The obligation of confidentiality in accordance with paragraph 1 also applies to persons who belong to a committee of the administrative board, the state directorate or the regional advisory board. (2) The obligation of confidentiality in accordance with paragraph one also applies after leaving the position and after termination of the employment relationship . The obligation of confidentiality in accordance with paragraph one also applies to persons who belong to a committee of the administrative board, the state directorate or the regional advisory board.
(...)
Goal and task fulfillment
§ 29. Paragraph 29, (1) The aim of the labor market service is, within the framework of the Federal Government's full employment policy to prevent and eliminate unemployment while maintaining social and economic principles in the sense of an active labor market policy, to bring together the labor supply as completely, economically sensible and sustainably as possible - demand, and thereby ensure the supply of the economy with workers and the employment of all people who are available to the Austrian labor market in the best possible way. This includes securing economic existence during unemployment within the framework of the legal provisions.
(2) In order to achieve this goal, the employment service must provide services within the framework of the legal provisions that are aimed at:
1. to bring about the placement of suitable workers in an efficient manner into jobs that, if possible, offer employment that corresponds to the placement wishes of the job seeker,
2. to help overcome the effects of circumstances that hinder direct mediation within the meaning of number 1, to help overcome the effects of circumstances that hinder direct mediation within the meaning of number one,
3. to counteract the confusion of the labor market,
4. Reduce quantitative or qualitative imbalances between labor supply and labor demand,
5. to enable the preservation of jobs if it makes sense within the meaning of paragraph 1 and to enable the preservation of jobs if it makes sense within the meaning of paragraph one and
6. To secure the economic existence of the unemployed.
(3) The tasks of the labor market service include, in particular, ensuring vocational training opportunities for young people by placing them in suitable apprenticeships and supplementary measures such as commissioning training institutions for inter-company apprenticeship training in accordance with Section 30b of the Vocational Training Act (BAG), Federal Law Gazette No. 142/1969 , or from training institutions in accordance with Section 2 Paragraph 4 of the Agricultural and Forestry Vocational Training Act, Federal Law Gazette I No. 298/1990. (3) The tasks of the labor market service include, in particular, ensuring vocational training opportunities for young people through placement in suitable apprenticeships and supplementary measures such as the commissioning of training institutions for inter-company apprenticeship training in accordance with paragraph 30 b, of the Vocational Training Act (BAG), Federal Law Gazette No. 142 from 1969, or of training institutions in accordance with paragraph 2, paragraph 4, of the Agricultural and Forestry Vocational Training Act, Federal Law Gazette Part One, No. 298 from 1990.
(4) The tasks of the labor market service also include promoting the re-employment of people with health problems through placement in suitable jobs and supplementary or preparatory measures. Particular attention must be paid to individual performance, the development and expansion of qualifications that can be used on the labor market and securing economic existence.
(...)
Principles in the performance of tasks
§ 31Paragraph 31,. (1) Anyone can use the services of the labor market service that are not provided in the official procedure at all offices and facilities of the labor market service that offer these services, provided that the principles stated in paragraph 5 do not conflict with this. . (1) Anyone can use the services of the labor market service that are not provided in the official procedure at all offices and facilities of the labor market service that offer these services, provided that the principles stated in paragraph 5 do not conflict with this.
(2) If there is no legal entitlement to services from the employment service, the choice, type and, if necessary, combination of the services used must be based on the requirements of the individual case, taking into account that they correspond as best as possible to the objective stated in Section 29. When carrying out its tasks, the employment service must ensure that the interests of employers and employees are appropriately balanced. (2) If there is no legal entitlement to services from the employment service, the choice, type and, if necessary, combination of the services used must be based on the requirements of the individual case, taking into account that they correspond as best as possible to the objective stated in paragraph 29. When carrying out its tasks, the employment service must ensure that the interests of employers and employees are appropriately balanced.
(3) For people who have particular difficulties in obtaining or maintaining a job either because of their personal circumstances or because they belong to a group that is disadvantaged in the labor market, the services of the labor market service within the meaning of paragraph 2 must be designed in this way and, if necessary, in this way to make greater use of ensuring that the greatest possible equality of opportunity with other workers is created. In particular, the gender-specific division of the labor market and discrimination against women on the labor market must be counteracted through appropriate use of services. (3) For people who have particular difficulties in obtaining or maintaining a job, either because of their personal circumstances or because they belong to a group that is disadvantaged in the labor market, the services of the employment service within the meaning of paragraph 2 must be designed in this way and, if necessary, in this way to make greater use of ensuring that the greatest possible equality of opportunity with other workers is created. In particular, the gender-specific division of the labor market and discrimination against women on the labor market must be counteracted through appropriate use of services.
(4) The activity of the employment service is, as far as it is
- ensuring compliance with and implementation of the federal government's labor market policy,
- the equal treatment of similar matters,
- the necessary uniformity of approach and
- Achieving the highest possible efficiency and expediency in service provision
allow to be carried out decentrally. Unless expressly stated otherwise, the services of the employment service are to be provided by the regional organizations.
(5) In all activities, the employment service must take into account the principles of thrift, economy and expediency from the perspective of the best possible achievement of the goal stated in Section 29. Internal controlling must be set up to evaluate the efficiency of the employment service's activities. (5) In all activities, the employment service must take into account the principles of thrift, economy and expediency from the perspective of the best possible achievement of the goal stated in paragraph 29. Internal controlling must be set up to evaluate the efficiency of the employment service's activities.
(6) The employment service must, in particular in projects relating to ensuring vocational training opportunities for young people in accordance with Section 29 Paragraph 3, take into account the different needs in the individual federal states and strive for the cooperation and appropriate financial participation of the respective federal state in order to best fulfill the tasks. (6) The employment service must, in particular in projects relating to ensuring vocational training opportunities for young people in accordance with paragraph 29, paragraph 3, take into account the different needs in the individual federal states and strive for the cooperation and appropriate financial participation of the respective federal state in order to best fulfill the tasks .
(7) When planning measures, the employment service must ensure that suitable support services are offered to groups of people who are particularly at risk of unemployment.
(8) The measures are intended in particular to promote the maintenance and expansion of marketable qualifications of employees. The labor market service can participate in measures taken by other legal entities to improve the framework conditions for long-term health maintenance.
(...)
Services
§ 32. Paragraph 32, (1) The employment service must provide its services in the form of services whose purpose is to place job seekers in vacancies, to secure employment and to secure livelihoods within the meaning of § 29. (1) The labor market service must provide its services in the form of services whose purpose is to place job seekers in vacancies, to secure employment and to secure livelihoods within the meaning of paragraph 29.
(2) Services to prepare, enable or facilitate such placement or job security are in particular
1. Information about the job market and the professional world,
2. Advice on choosing a career,
3. Support in establishing or maintaining the employability of workers,
4. Supporting workforce skills and
5. Supporting companies in finding and selecting suitable workers as well as designing internal workforce planning,
6. Assisting job seekers in finding and selecting a job and
7. Supporting businesses and workers to create and maintain jobs.
(3) To the extent that the employment service cannot itself provide services within the meaning of paragraph 2 or whose provision would be inappropriate or uneconomical, it must ensure that such services are provided in another way on the basis of contractual agreements, e.g. by transferring them to suitable institutions to provide. In doing so, the interests of third parties worthy of protection within the meaning of Section 1 Paragraph 1 of the Data Protection Act must not be violated. (3) If the employment service cannot itself provide services within the meaning of Paragraph 2 or the provision of which would be inappropriate or uneconomical, it must take precautions for this , that such services are provided in another way on the basis of contractual agreements, e.g. by transferring them to suitable institutions. The interests of third parties worthy of protection within the meaning of paragraph one, paragraph one, of the Data Protection Act may not be violated.
(4) Services are generally free of charge. For special services, such as testing and pre-selection of applicants or special advertising measures and personnel consulting measures for companies, the administrative board can set an appropriate fee, which goes to the employment service. In any case, services for employees, the unemployed and job seekers must be provided free of charge.
(5) If services of the labor market service fall under the provisions of Section 2 of the Labor Market Promotion Act (AMFG), Federal Law Gazette No. 31/1969, the provisions of Sections 3 to 7 AMFG apply to them. (5) If services of the labor market service fall under the provisions of paragraph 2 of the Labor Market Promotion Act (AMFG), Federal Law Gazette No. 31 of 1969, fall, the provisions of paragraphs 3 to 7 AMFG apply to them.
(...)
Care plan
§ 38c. Paragraph 38 c, The regional office must draw up a care plan for each unemployed person, which, based on the expected need for care, contains in particular the type of care and the measures envisaged as well as a justification for the intended procedure. The care plan must pay particular attention to the relevant aspects in accordance with Section 9 Paragraphs 1 to 3 AlVG. When it comes to placement and measures to improve placement opportunities, the unemployed person's qualifications (knowledge and skills of a professional and technical nature) that can be used on the labor market must be taken into account and these should be maintained if possible or expanded if necessary. If the circumstances that are important for integration into the labor market change, the care plan must be adjusted accordingly. The regional office must seek agreement with the unemployed person about the care plan. If an agreement cannot be reached, the care plan must be determined unilaterally by the regional office, taking the interests of the unemployed person into account as much as possible. The care plan must be made known to the unemployed person. There is no legal entitlement to a specific care plan or to measures envisaged in the care plan. The board of directors must issue a guideline to ensure a uniform approach when creating and adapting care plans. The regional office must draw up a care plan for each unemployed person, which, based on the expected need for care, contains in particular the type of care and the planned measures as well as a justification for the intended approach. In the care plan, particular attention must be paid to the relevant aspects in accordance with paragraph 9, paragraph one, to 3 of the AlVG. When it comes to placement and measures to improve placement opportunities, the unemployed person's qualifications (knowledge and skills of a professional and technical nature) that can be used on the labor market must be taken into account and these should be maintained if possible or expanded if necessary. If the circumstances that are important for integration into the labor market change, the care plan must be adjusted accordingly. The regional office must seek agreement with the unemployed person about the care plan. If an agreement cannot be reached, the care plan must be determined unilaterally by the regional office, taking the interests of the unemployed person into account as much as possible. The care plan must be made known to the unemployed person. There is no legal entitlement to a specific care plan or to measures envisaged in the care plan. The board of directors must issue a guideline to ensure a uniform approach when creating and adapting care plans.
(...)"
32 5.2. On the assessment of the relevant action of the AMS as a sovereign or private sector and on the question of the applicability of Section 1 Paragraph 2 of the DSG to the facts at hand DSG on the facts at hand
33 5.2.1. The appeal argues that the data processing in question by the mP takes place within the framework of sovereign administration. There are no comprehensible reasons for attributing the processing to the area of private sector administration, especially since Section 29 AMSG states the placement of suitable workers in jobs as the goal and task of the mP. However, the task of providing employment is inextricably linked to the Unemployment Insurance Act (AlVG). AMAS cannot be viewed separately from official activity under the AlVG because this data processing ultimately serves as a basis for decision-making for job placement and, relatedly, for unemployment insurance claims. Since the data processing in question is carried out within the framework of the sovereign administration, Section 1 Para. 2 DSG requires the respective legislature to provide material-specific regulations in the sense that the cases of permissible interference with the fundamental right to data protection are specified and limited. The appeal argues that the data processing in question by the mP takes place within the framework of sovereign administration. There are no comprehensible reasons for attributing the processing to the area of private sector administration, especially since Paragraph 29, AMSG states the placement of suitable workers in jobs as the goal and task of the mP. However, the task of providing employment is inextricably linked to the Unemployment Insurance Act (AlVG). AMAS cannot be viewed separately from official activity under the AlVG because this data processing ultimately serves as a basis for decision-making for job placement and, relatedly, for unemployment insurance claims. Since the data processing in question is carried out within the framework of the sovereign administration, paragraph one, paragraph 2, DSG requires the respective legislature to provide material-specific regulations in the sense that the cases of permissible interference with the fundamental right to data protection are specified and limited.
34 The response to the appeal counters that the AMSG essentially regulates the “services” of the employment service (AMS) and thus the private sector tasks of the mP, in particular its work in job placement, including the organization and implementation of training courses and the awarding of aid. The processing in question - AMAS - is used for mP's activities in the private sector. These tasks of the mP provided for in Sections 29 ff AMSG would be carried out using means of private law, with the basis for the procedure essentially being the supervision agreement in accordance with Section 38c AMSG. There is no entitlement to any services. In this sense, Section 32 AMSG provides that the mP must provide its services in the form of services described in more detail, to which there is expressly no legal entitlement. This also applies to the awarding of aid. The applicant herself assumes that the data processing in question is used for the purposes of job placement in accordance with Sections 29 ff AMSG. It should be noted that AMAS is not used for job placement itself, but only for targeted support for mP activities in the private sector. These tasks of the mP provided for in paragraphs 29, ff AMSG would be carried out using means of private law, with the basis for the procedure essentially being the supervision agreement in accordance with paragraph 38 c, AMSG. There is no entitlement to any services. In this sense, paragraph 32, AMSG stipulates that the mP must provide its services in the form of services described in more detail, to which there is expressly no legal entitlement. This also applies to the awarding of aid. The applicant herself assumes that the data processing in question is used for the purposes of job placement in accordance with paragraphs 29, ff of the AMSG. It should be noted that AMAS cannot be used for job placement itself, but only for targeted support and support. The program serves to choose the right care strategy. The job placement itself takes place independently of the calculated opportunities on the labor market. From all of this it follows that the requirement of Section 1 Paragraph 2 DSG, according to which an intervention in the fundamental right to data protection by a state authority may only take place on the basis of a qualified legal basis, does not apply. and funding use can be used. The program serves to choose the right care strategy. The job placement itself takes place independently of the calculated opportunities on the labor market. From all of this it follows that the requirement of paragraph one, paragraph 2, DSG, according to which an intervention in the fundamental right to data protection by a state authority may only take place on the basis of a qualified legal basis, does not apply.
35 5.2.2. The balancing of interests stipulated in Section 1 Para. 2 DSG requires an (explicit) legal regulation for the admissibility of official interventions in data protection secrecy, which is necessary for the reasons stated in Article 8 Para. 2 ECHR. The explanations for this provision understand authorities to act as sovereign state bodies; What is meant is sovereign action by administrative authorities (cf. The balancing of interests stipulated in paragraph one, paragraph 2, DSG requires an (explicit) legal regulation for the permissibility of official interventions in data protection secrecy, which comes from the provisions mentioned in Article 8, paragraph 2, ECHR reasons is necessary. The explanations for this provision understand authorities as state organs acting sovereignly; what is meant is sovereign action by administrative authorities see Pürgy/Zavadil, The state authority within the meaning of Section 1 Paragraph 2 DSG 2000 in , The state authority within the meaning of Paragraph one, paragraph 2, DSG 2000 in Bauer/Reimer, Handbook on Data Protection Law [2009], 141 ff [147], with reference to ErlRV on the StF of Section 1 DSG 2000, 1613 BlgNR 20. GP 34 f;, Handbook on Data Protection Law [2009], 141 ff [147], with reference to ErlRV on the StF of paragraph one, DSG 2000, 1613 BlgNR 20. GP 34 f; Eberhard in Korinek/Holoubek, B-VG, 12th Lfg [2016], § 1 DSG, Rn. 58, mwN).VG, 12th Lfg [2016], paragraph one, DSG, Rn. 58, mwN).
36 5.2.3. Sovereign administration occurs when the administrative bodies act with “imperium”, i.e. with the use of specific state command and coercive power. They act in the legal forms that public law provides for the exercise of official powers (cf. VfGH March 3, 2001, KI-2/99). Sovereign administration occurs when the administrative bodies are referred to as “imperium”, i.e occur with the use of specific state command and coercive power. They act in the legal forms that public law makes available for the exercise of official powers (compare, for example, Constitutional Court 3.3.2001, KI-2/99).
37 The determination that an administrative body carries out an act of public service, thus a public administrative task, does not exclude the qualification of such an activity as private sector administration. When it comes to demarcating the area of private sector administration from that of sovereign administration, the motives and purpose of the activity are not important; what is more important is what legal technical means the legislation provides for the realization of the tasks to be fulfilled. If the legislature has not endowed the administrative body with coercive powers, then this is not sovereign administration, but rather private sector administration (cf. Constitutional Court October 18, 1957, KI-1/57; cf. also the statements in The determination that an administrative body is an act of public service, therefore a public administrative task, does not exclude the qualification of such an activity as private sector administration. When delimiting the area of private sector administration from that of sovereign administration, the motives and purpose of the activity are not important; what is more important is what legal technical means the legislation uses to carry out the tasks to be fulfilled. If the legislature has not endowed the administrative body with coercive powers, then this is not sovereign administration, but rather private sector administration see VfGH 10/18/1957, KI-1/57; see also the statements in Raschauer, Allgemeines Verwaltungsrecht6, 2021, No. 694 ff).
38 According to the statements in - the still relevant “leading case” - VfSlg. 3262/1957, it is irrelevant for the qualification of official actions as sovereign administration whether the authority in question performs a “public task”, since not everything “public” can be carried out sovereignly. Furthermore, it is not decisive that this is a regulation in the field of public law. Nor is every act of a body vested with official powers an act of sovereignty. The fact that the authority in question works with public funds in connection with the task to be fulfilled also does not decide the questions of sovereign action, because the state also acts with public funds within the framework of private sector administration. The only decisive factor is which legal technical means the legislature has provided, i.e. whether there is a legal authorization to act sovereignly and whether such authorization is used in the specific case (see VfSlg. 3262/1957 for the qualification of official authority). Acting as a sovereign administration, it is irrelevant whether the authority in question performs a “public task”, since not everything “public” is to be carried out by the sovereign. Furthermore, it is not decisive that it is a regulation in the field of public law. Nor is it Every act of a body vested with official powers is an act of sovereignty. The fact that the authority in question works with public funds in connection with the task to be fulfilled also does not decide the questions of sovereign action, because even in the context of private sector administration the state works with public resources The only decisive factor is which legal technical means the legislature has provided, i.e. whether there is a legal authorization for sovereign action and whether this is used in the specific case (see Raschauer, ibid).
39 The term “simple sovereign administration” covers administrative actions that are not of a private economic nature, but belong to the area of sovereign administration, even if no sovereign act is made in the specific case. In simple sovereign administration, the administrative bodies do not act in the forms of action of the decision, the direct administrative authority to command and coerce or the regulation, although this power to order and enforce is present in the background. In this sense, the simple sovereign administration is a potentially sovereign administration that can become the current sovereign administration through the use of empire; It is therefore a matter of “different intensity” of an administrative activity, which as a whole belongs to the area of sovereign administration (cf. VwGH April 15, 2016, Ra 2016/02/0028). There can be acts of administration that do not have any independent normativity, but undoubtedly the term “simple sovereign administration” covers administrative actions that are not of a private economic nature, but belong to the area of sovereign administration, even if no sovereign act is taken in the specific case . In simple sovereign administration, the administrative bodies do not act in the forms of action of the decision, the direct administrative authority to command and coerce or the regulation, although this power to order and enforce is present in the background. In this sense, the simple sovereign administration is a potentially sovereign administration that can become the current sovereign administration through the use of empire; It is therefore a matter of “different intensity” of an administrative activity, which as a whole belongs to the area of sovereign administration (see VwGH April 15, 2016, Ra 2016/02/0028). There can be acts of administration that do not have any independent normativity, but are undoubtedly - preparatory, accompanying, implementing - within the framework of sovereign administration. In some cases it is even expressly stipulated that the refusal of such (actual) performance should be made with a notice, which is probably the clearest indication that the case of positive approval or fulfillment must also be qualified as a sovereign act. The simple sovereign administration can therefore no longer be determined solely on the basis of the limited number of typified forms of sovereign acts. What is crucial is that certain actions are taken that can be found both in the area of sovereign administration and in the area of private sector administration. What makes these actions a sovereign act is the context in which they are taken (cf. again, within the framework of sovereign administration. In various cases it is even expressly provided that the refusal of such an (actual) service should be made with a notice, which is probably the clearest indication The reason for this is that the case of positive approval or fulfillment must also be qualified as sovereign action. The simple sovereign administration can therefore no longer be determined solely on the basis of the limited number of typified forms of sovereign acts. What is crucial is that certain actions are taken that can be found both in the area of sovereign administration and in the area of private sector administration. These actions are made sovereign actions by the context in which they are set (compare Raschauer, ibid).
40 5.2.4. It is undisputed that the mP has to fulfill both private-sector and sovereign tasks (see Section 31 Paragraph 1 AMSG) because it faces job seekers both as a (contractual) partner and as a holder of state sovereignty. It is undisputed that the mP has to fulfill both private-sector and sovereign tasks (see paragraph 31, paragraph one, AMSG) because it faces job seekers both as a (contractual) partner and as a bearer of state sovereignty.
41 5.2.4.1. The mP acts in the area of sovereign administration if it decides on benefits to which there is a legal claim - for example under the AlVG. However, the care activity in question, including the creation of a care plan/a care agreement provided for in this context, takes place without the law granting the mP coercive powers or giving the job seeker a legal claim to the support measures envisaged there as being effective. Rather, the mP has to fulfill its tasks in the service of “the Federal Government's full employment policy to prevent and eliminate unemployment while respecting social and economic principles” (cf. Section 29 Paragraph 1 AMSG) in the form of services that everyone can use can (Section 31 Paragraph 1 AMSG). The case-specific activity of the mP is therefore not to be viewed as sovereign in the narrower sense. a legal claim exists. However, the care activity in question, including the creation of a care plan/a care agreement provided for in this context, takes place without the law granting the mP coercive powers or giving the job seeker a legal claim to the support measures envisaged there as being effective. Rather, the mP has to fulfill its tasks in the service of “the full employment policy of the Federal Government to prevent and eliminate unemployment while respecting social and economic principles” (see paragraph 29, paragraph one, AMSG) in the form of services that everyone can use (Section 31, paragraph one, AMSG). The case-specific activity of the mP is therefore not to be viewed as sovereign in the narrower sense.
42 5.2.4.2. The possibility of this simply being sovereign action must be questioned because - as the appeal argues - employment placement is in an “inseparable connection with the AlVG”.
43 According to the undisputed findings, the results of the AMAS should be used in the counseling process and should be a starting point for the counselors to work with the job seeker to assess the potential and, if necessary, the obstacles to labor market integration. Due to this debate, the optimal care strategy - support and care services - needs to be defined. The consultant makes the final decision about assignment to one of the customer groups. If the job seeker has a decidedly different assessment of labor market opportunities than the advisor, this must be documented in the supervision agreement.
44 Based on this, the following should be considered:
45 Against the background of the AMSG, the task of the mP is to prevent and eliminate unemployment while maintaining social and economic principles in the sense of an active labor market policy (Section 29 Paragraph 1 AMSG). According to the materials on the AMSG (RV 1468 BlgNR 18. GP, 32; AB 1555 BlgNR 18. GP), the sole purpose of the law is to reform the labor market administration and the associated re-achievement of full employment and the participation of job seekers in working life The central aim of the provisions of the AMSG is to achieve the highest possible level of employment, which is to be achieved through the organization of the mP, for whose services the rapid placement of productive and individually satisfying employment is the top priority. According to Section 29 of the AMSG, economic existence should be guaranteed during the time of the job search. Securing livelihoods in the form of recurring benefits to job seekers is therefore part of labor market policy. This basic idea of active labor market policy can be achieved through specific measures tailored to the individual case and taking into account the greatest possible compatibility of full employment and economic growth. It follows from this objective of the AMSG that, on the one hand, the AMS should provide job seekers with an overview of the domestic labor market and orientation within it, and on the other hand, through targeted advice and assistance, it should be able to find a job that corresponds to the individual's individual abilities (cf. to All this OGH January 30, 2001, 1 Ob 257/00a). Against the background of the AMSG, the task of the MP is to prevent and eliminate unemployment while maintaining social and economic principles in the sense of an active labor market policy (Section 29, paragraph one, AMSG). According to the materials on the AMSG (RV 1468 BlgNR 18. GP, 32; AB 1555 BlgNR 18. GP), the sole purpose of the law is to reform the labor market administration and the associated re-achievement of full employment and the participation of job seekers in working life The central aim of the provisions of the AMSG is to achieve the highest possible level of employment, which is to be achieved through the organization of the mP, for whose services the rapid placement of productive and individually satisfying employment is the top priority. According to Paragraph 29, AMSG, economic existence should be guaranteed during the time of job search; securing livelihoods in the form of recurring benefits to job seekers is therefore part of labor market policy. This basic idea of active labor market policy can be achieved through specific measures tailored to the individual case and taking into account the greatest possible compatibility of full employment and economic growth. From this objective of the AMSG it follows that, on the one hand, the AMS should provide job seekers with an overview of the domestic labor market and orientation within it, and on the other hand, through targeted advice and assistance, they should find a job that corresponds to the individual's individual abilities (compare the OGH). January 30, 2001, 1 Ob 257/00a).
46 The entitlement to unemployment benefit (Section 47 Paragraph 1 AlVG) is of a sovereign nature; When deciding whether a person is entitled to unemployment benefit, official tasks are carried out. However, as can be seen from Section 31 Paragraph 1 AMSG, the placement of job seekers is in any case not sovereign (see OGH November 24, 2015, 1 Ob 208/15t, mwN). The entitlement to unemployment benefit (Section 47, paragraph one, AlVG) is of a sovereign nature; When deciding whether a person is entitled to unemployment benefit, official tasks are carried out. However, as can be seen from paragraph 31, paragraph one, AMSG, the placement of job seekers is in any case not sovereign (see OGH November 24, 2015, 1 Ob 208/15t, mwN).
47 The relevant advice according to the findings, in the context of which the data processing in question takes place, does not intentionally serve - regardless of the close thematic connection - to prepare the settlement of claims from unemployment insurance, but rather for the purpose of bringing together supply and demand on the labor market . The advisory process, which is legally designed as a service and which, in accordance with Section 31 Paragraph 1 AMSG, is also open to job seekers who are not recipients of unemployment benefits, is neither carried out with sovereign resources nor does it intentionally lead to the preparation of the settlement of claims from unemployment insurance, but rather to Purpose of bringing together supply and demand in the labor market. The advisory process, which is legally designed as a service and which, according to paragraph 31, paragraph one, AMSG, is also open to job seekers who are not recipients of unemployment benefits, is neither carried out using sovereign means nor does it - given the lack of reciprocal rights and obligations - result in a sovereign act. The purely factual connection between unemployment and possible support under the AlVG in the event of an unsuccessful job search does not make advice on reintegration into the labor market itself a preparatory act for official activity in granting support, and in the absence of a sufficient normative connection, not even if it is directed at people who are already receiving benefits according to the AlVG.
48 This also applies to the “care plan”: According to Section 38c AMSG, inserted by the Labor Market Reform Act 2004, BGBl and manner of care and the measures envisaged as well as a justification for the intended procedure. The explanations of the legislator, ErlRV 464 BlgNR 22. GP 9, read in part: This also applies to the “care plan”: According to paragraph 38 c, AMSG, inserted by the Labor Market Reform Act 2004, Federal Law Gazette Roman One No. 77, the AMS has for Every unemployed person must draw up a care plan that contains “based on the expected need for care, in particular the type of care and the measures envisaged, as well as a justification for the intended approach”. The explanations of the legislator, ErlRV 464 BlgNR 22. GP 9, read in part:
“The basic principles of the support plan, which has already been used in the employment service with good experience, should now be explicitly anchored in law. The support plan is not attributable to the sovereign administration, but is only intended to define the framework conditions for the placement and placement-supporting activities of the employment service that clearly belong to the private sector administration. The care plan is intended to ensure a uniform, sensible, predictable approach to the care and placement of unemployed people that corresponds to the principle of trust. Depending on the sometimes very different conditions for successful reintegration into the labor market, different requirements must be placed on the care of the unemployed. This results in graduated requirements for the care plan. Discussions to clarify the situation and about the care process will usually take into account whether the unemployment is only temporary and can probably be remedied in the foreseeable future without special measures or with regard to, for example, age, lack of qualifications, health restrictions, care obligations or structural Problems in the labor market require special efforts. (...) The agreement on the care plan must be made within the scope of the existing discretion. If the ideas of the unemployed person are not in accordance with the applicable regulations, an explanation in this regard must be provided. If no agreement can be reached, the care plan must be determined unilaterally by the regional office. In any case, the care plan must be made known to the unemployed person in an appropriate manner, e.g. by handing it over or sending it to them. The support plan is intended to define the framework within which placement efforts and qualification or other measures necessary to improve employment opportunities on the labor market are to be implemented. The agreements should also record the planned personal activities of the unemployed. The care plan is binding for the actions of the employment service and the unemployed as long as it has not been changed - usually after a new consultation. (...) The support plan is intended to ensure, on the one hand, a higher degree of personal action orientation for the unemployed as well as predictability of the actions of the labor market service and, on the other hand, an overall more planned, easier to understand and, if necessary, targeted change in the approach of the labor market service. The tried and tested 'agreement culture' should be continued and expanded. (...)"
49 According to the declared will of the legislature, the mP fulfills the task of drawing up the care plan/care agreement within the framework of the private sector administration. This corresponds to the express exclusion of a legal entitlement to a specific care plan or to measures that are envisaged in the care plan (see also. According to the declared will of the legislature, the MP is responsible for the task of drawing up the care plan/care agreement within the framework of the private sector administration This corresponds to the express exclusion of a legal claim to a specific care plan or to measures that are envisaged in the care plan (see also Julcher in AlV-Komm § 9 AlVG Rz 79). Furthermore, it is crucial for the classification of the mP's case-specific advisory activity as private-sector activity that the reasonableness criteria in accordance with Section 9 Paragraphs 1 to 3 AlVG must be taken into account when drawing up the care plan; However, there is no legal provision for a binding determination of the limits of reasonableness of employment within the meaning of Section 9 AlVG, which can be derived directly from the care plan/the care agreement, or even just a binding definition of the individual case-related criteria for assessing these limits, so that the care plan against this background Limits of the reasonableness of employment in AlV-Komm Paragraph 9, AlVG Rz 79). Furthermore, it is crucial for the classification of the mP's relevant case-related advisory activities as private-sector activity that the reasonableness criteria in accordance with paragraph 9, paragraphs one to 3 of the AlVG must be taken into account when drawing up the care plan; However, there is no legal provision for a binding determination of the limits of reasonableness of employment within the meaning of Section 9, AlVG, which can be derived directly from the care plan/the care agreement, or even just a binding definition of the individual case-related criteria for assessing these limits, so that the care plan is based on this background can neither expand nor narrow the limits of the reasonableness of employment - especially in connection with possible sanctions according to Section 10 of the AlVG. Furthermore, no sanction under Section 10 AlVG can be directly linked to the care plan. Section 9 Para. 8 AlVG does not change this consequence, because the provision there can neither expand nor restrict the mP's burden of justification for reintegration measures to the job seeker. Also, no sanction under Section 10, AlVG can be directly linked to the care plan. Paragraph 9, Paragraph 8, AlVG does not change this consequence, because the provision there modifies the mP's burden of justification for reintegration measures to the job seeker - under certain conditions - in connection with an existing care plan, which itself does not create a binding relationship with the authority nor does it release them from their obligation to present a comprehensible - and in this sense independent - justification, which is subject to review (see VwGH March 28, 2012, 2010/08/0250, pointing in this direction). Justification, which is subject to a review check see VwGH March 28, 2012, 2010/08/0250 pointing in this direction).
50 In summary, from what has been said above it follows that neither the advice within the context of the employment placement itself nor the creation of the care plan (a care agreement) within the meaning of Section 38c AMSG can be attributed to the mP's sovereign area of activity (even if it is simply). Rather, this is a part of the mP's private-sector activities, which, against the background of the functional definition of authority in Section 1 Para. 2 DSG, does not meet the standard determined there for interference with the fundamental right to secrecy of personal data in accordance with Section 1 Para. 1 DSG is subject to. From what has been said above it follows that neither the advice within the framework of the employment placement itself nor the creation of the care plan (a care agreement) within the meaning of paragraph 38 c, AMSG can be attributed to the sovereign area of activity of the mP (even if it is simply). is. Rather, this is part of the mP's private-sector activities, which, against the background of the functional definition of authority in paragraph one, paragraph 2, of the Data Protection Act, does not meet the standard determined there for interference with the fundamental right to secrecy of personal data in accordance with paragraph one, Paragraph one, DSG is subject to.
51 For this reason alone, the disputed legality of the data processing that is the subject of the proceedings must be examined using the relevant provisions of the GDPR, without taking into account the standard of Section 1 Paragraph 2 of the DSG To examine the provisions of the GDPR without taking into account the standard of paragraph one, paragraph 2, DSG.
52 5.3. On the question of the existence of sufficient justifications within the meaning of Articles 6 and 9 GDPROn the question of the existence of sufficient justifications within the meaning of Articles 6 and 9 GDPR
53 5.3.1. The BVwG based its argument regarding the lawfulness of the processing in question on the conclusion that, in accordance with Article 6 Paragraph 1 Letter e GDPR and Article 9 Paragraph 2 Letter g GDPR, processing of personal data or special categories of personal data could be lawful if this processing is necessary on the basis of the law of the Member State of the controller for a task carried out in the public interest or in relation to the processing of special categories of personal data based on a significant public interest. According to Recital 41 of the GDPR, the legal basis corresponding to Article 6 Paragraph 3 of the GDPR must be clear and precise and foreseeable for the person subject to the law. Article 9 (2) (g) GDPR also requires appropriate and specific measures to safeguard the fundamental rights and interests of the data subjects. In summary, the BVwG believes that the mP must fulfill the tasks assigned to it in accordance with Section 29 Paragraph 1 AMSG in accordance with the principles of thrift, economy and expediency required by Section 31 Paragraph 5 AMSG. Section 25 (2) AMSG grants mP authorization to process personal data to the extent that this is an essential prerequisite for fulfilling the statutory tasks. The task assigned to the mP in accordance with Section 29 AMSG is undoubtedly one of considerable public interest. In order to best ensure the defined goal of optimally supplying the economy with workers and employing all people, it is undeniably necessary to take into account the personal characteristics of job seekers in combination with what is happening on the labor market. The appellant did not deny that the personal data of job seekers used could be relevant for assessing labor market opportunities. In the present case, there are no concerns that the mP may use the personal data in accordance with Section 25 Paragraph 1 AMSG to ensure “proper labor market policy”. There are no indications that such data processing is not sufficiently clearly expressed in Section 25 AMSG. Section 25 (10) AMSG takes precautions to ensure processing that complies with the principles of the GDPR and to guarantee data security. The BVwG based its argument regarding the lawfulness of the processing in question on the conclusion, in accordance with Article 6, paragraph one, Litera e, GDPR and Article 9, Paragraph 2, Litera g, GDPR may allow the processing of personal data or special categories of personal data to be lawful if this processing is based on the law of the Member State of the controller for a task carried out in the public interest or for the processing of special categories of personal data Data is required due to significant public interest. According to recital 41 of the GDPR, the legal basis corresponding to Article 6, paragraph 3, GDPR must be clear and precise and foreseeable for the subject of the law. Article 9, Paragraph 2, Litera g, GDPR additionally requires appropriate and specific measures to safeguard the fundamental rights and interests of the data subjects. In summary, the BVwG believes that the mP must fulfill the tasks assigned to it in accordance with paragraph 29, paragraph one, AMSG in accordance with the principles of thrift, economy and expediency required by paragraph 31, paragraph 5, AMSG. Paragraph 25, Paragraph 2, AMSG grants mP authorization to process personal data to the extent that this is an essential prerequisite for fulfilling the statutory tasks. The task assigned to the mP in accordance with Section 29, AMSG is undoubtedly one of considerable public interest. In order to best ensure the defined goal of optimally supplying the economy with workers and employing all people, it is undeniably necessary to take into account the personal characteristics of job seekers in combination with what is happening on the labor market. The appellant did not deny that the personal data of job seekers used could be relevant for assessing labor market opportunities. In the present case, there are no concerns that the mP may use the personal data in accordance with paragraph 25, paragraph one, AMSG to ensure “proper labor market policy”. There are no indications that such data processing is not sufficiently clearly expressed in Section 25, AMSG. Paragraph 25, paragraph 10, AMSG takes precautions to ensure processing that complies with the principles of the GDPR and to ensure data security.
54 5.3.2. In order to answer the appeal's argument, the question of whether the requirements of Articles 6 and 9 of the GDPR are met must first be addressed and it must first be stated that the question of the lawfulness of the processing against the background of these provisions is one of the questions of the ban on automated decisions Art. 22 GDPR represents a separate legal question. In order to answer the appeal's argument, the question of whether the requirements of Articles 6 and 9 GDPR are met must first be addressed and the question of the lawfulness of the processing must be addressed against the background of these provisions represents a legal question that must be separated from the question of the ban on automated decisions in accordance with Article 22, GDPR.
55 5.3.2.1. The processing of personal data is lawful in accordance with Article 6, Paragraph 1, Letter e of the GDPR. The processing of personal data is lawful in accordance with Article 6, Paragraph 1, Letter e, of the GDPR - among other things - if the processing is necessary for the performance of a task that is in the public interest or occurs in the exercise of official authority vested in the person responsible.
56 Article 6 Paragraph 1 Letter e GDPR is closely related to Article 6 Paragraphs 2 and 3, which contain more detailed requirements for the legal bases. The legal basis for the processing pursuant to Article 6 Paragraph 1 Letter e GDPR may be in accordance with Article 6 Paragraph 3 Leg. Cit. be determined by Union law or the law of the Member States to which the controller is subject. The purpose of the processing must be Article 6, paragraph one, Litera e, GDPR is closely related to Article 6, paragraphs 2 and 3, which contain more detailed requirements for the legal bases. The legal basis for the processing pursuant to Article 6, Paragraph One, Litera e, GDPR may be in accordance with Article 6, Paragraph 3, Leg. Cit. be determined by Union law or the law of the Member States to which the controller is subject. The purpose of the processing does not necessarily have to be expressly provided for in a legal basis - unlike processing in accordance with Article 6, Paragraph 1, Letter c of the GDPR. According to Art. 6 Para. 3 Sentence 2 GDPR, it is sufficient if the purpose of the processing is necessary to fulfill a task that is in the public interest or in the exercise of official authority. does not necessarily have to be expressly provided for in a legal basis. According to Article 6, paragraph 3, sentence 2 of the GDPR, it is sufficient if the purpose of the processing is necessary to fulfill a task that is in the public interest or in the exercise of official authority.
57 Recital 41 of the GDPR provides, in turn, that the relevant legal basis or legislative measure should be clear and precise and its application should be foreseeable for those subject to the law. However, Recital 45 of the GDPR does not specifically require a specific law for each individual processing operation. Rather, one law may be sufficient as a basis for several processing operations if the processing is necessary to carry out a task in the public interest.
58 Against the background of the wording of these relevant provisions, it cannot be assumed that in order to fulfill the justification requirement of Article 6 Paragraph 1 Letter e of the GDPR with regard to a specific data processing, the national legislature is in any case required to determine the data processing itself in the law. Rather, the justification is met if the task to be performed is adequately described in the legal basis and the data processing in question serves the purpose of fulfilling this task. However, this presupposes that such a task is described sufficiently clearly and specifically by the law. The legal basis in question may contain more specific regulations, but this is not mandatory (arg.: Against the background of the wording of these relevant provisions, it cannot be assumed that the national legislature is required to fulfill the justification requirement of Article 6, paragraph one, Litera e, GDPR with regard to a specific data processing is in any case required to determine the data processing itself in the law. Rather, the justification is fulfilled if the task to be performed is adequately described in the legal basis and the data processing in question serves the purpose of fulfilling this task. However, this presupposes that that such a task is described sufficiently clearly and specifically by the law. Although the legal basis in question may contain more specific regulations, this is not mandatory (arg.: “can” in Article 6 Para. 3 Third Sentence GDPR). Art. 6 para. 3 fourth sentence GDPR also for processing in accordance with Art. 6 para. 1 lit. e leg. cit. stipulates that the legal provisions pursue an objective in the public interest and must be proportionate to the legitimate purpose pursued (cf. also supporting this view in Article 6, paragraph 3, third sentence of the GDPR). Ultimately, Article 6, paragraph 3, fourth sentence of the GDPR also applies to processing in accordance with Article 6, paragraph one, Litera e, leg. cit. stipulates that the legislation must pursue a goal that is in the public interest and must be proportionate to the legitimate purpose pursued; see also Kastelitz/Hötzendorfer/Tschohl in Knyrim, der DatKomm, 2020, Art. 6 Rn. 47, supporting this view; see also, the DatKomm, 2020, Article 6, Rn. 47; also compare Buchner/Petri in Kühling/Buchner, DS-GVO, BDSG, 3rd edition, 2020, Art. 6 DS-GVO, Rn. 120 f., DS-GVO, BDSG, 3rd edition, 2020, Article 6, GDPR, paragraph 120 f).
59 5.3.2.2. The purpose of the provisions of Article 9 paragraph 1 GDPR is to ensure increased protection against such data processing, which, due to the particular sensitivity of these data, constitutes a particularly serious interference with the fundamental rights to respect guaranteed by Articles 7 and 8 of the Charter of private life and the protection of personal data (cf. the ECJ's statements on the purpose of protection in the judgment of September 24, 2019, C The purpose of the provisions of Article 9, paragraph one, GDPR is to ensure increased protection against such data processing, which, due to the particular sensitivity of these data, may represent a particularly serious interference with the fundamental rights to respect for private life and the protection of personal data guaranteed by Articles 7 and 8 of the Charter, see the ECJ's comments on the purpose of protection in the judgment of September 24, 2019, C- 136/17, GC et al., para. 44).
60 The core of the legality of Art must be required. While a public interest is generally necessary for the processing of personal data (Article 6 Paragraph 1 Letter e GDPR), the processing of sensitive data within the meaning of Article 9 Paragraph 1 GDPR requires the legality of Article 9 Paragraph 2, Litera g, GDPR is that the processing must be necessary for reasons of significant public interest. While a public interest is generally necessary for the processing of personal data (Article 6, paragraph one, Litera e, GDPR), the processing of sensitive data within the meaning of Article 9, paragraph one, GDPR - according to its wording - requires one such significant interest. This means that a specific consideration and a special legitimacy are required for the use of such data (see the explanations regarding such a significant interest for the interpretation of the corresponding legal situation in Germany. This means that a specific consideration and a special legitimacy are required for the use of such data For the interpretation of the corresponding legal situation in Germany, compare the statements in Kühling/Buchner, DS-GVO, BDSG, 3rd edition, Art. 9 para. 91, see also ECJ 24.9 on Art .2019, C-136/17, , GDPR, BDSG, 3rd edition, Article 9, paragraph 91, compare to Article 9, paragraph 2, litera g, GDPR also already ECJ September 24, 2019, C-136 /17, GC et al. [Delisting of sensitive data], para. 61).
61 The requirements for the legal basis in Art. 9 GDPR are not specified in more detail. Art. 9 Para. 2 lit. g GDPR, like Art. 6 Para. 1 lit. e leg. cit. as a justification for the need for processing for reasons of a The requirements for the legal bases in Article 9, GDPR are not specified. Article 9, paragraph 2, Litera g, GDPR as well as Article 6, paragraph one, Litera e, leg. cit. as a justification for the need for processing for reasons of public interest - significant in connection with Article 9, paragraph 2, letter g. With regard to the structural similarities of these two justifications and the respective reference to Union law or the law of a Member State, and in the absence of an order to the contrary, this also applies to justify the processing of special categories of personal data within the meaning of Article 9 Paragraph 2 Letter g of the GDPR assume that public interest. In view of the structural similarities between these two justifications and the respective reference to Union law or the law of a Member State, and in the absence of an order to the contrary, this also applies to justify the processing of special categories of personal data within the meaning of Article 9, Paragraph 2, Litera g, GDPR It can be assumed that - just as with the justification in Article 6, Paragraph 1, Letter e - as with the justification in Article 6, Paragraph 1, Letter e, - the sufficiently clear definition of the task to be fulfilled by the processing - in the context of these data has a special quality (arg.: “significant public interest”) - is necessary but also sufficient (cf. the explanations of required but also sufficient, compare the explanations of Schörghofer/Warter, The legal basis for data processing in FS-Pfeil , 2022, 721ff [734]). This view corresponds to the view of the ECJ in C-136/17, according to which Article 9 (2) (g) GDPR allows the processing of the special categories of data referred to in Article 9 if it is necessary for reasons of significant public interest, namely on the basis of Union law or the law of a Member State, which is proportionate to the objective pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject, as the ECJ has stated in this The right to free information, protected by Article 11 of the Charter, is a possible justifying legal basis for the data processing at issue there (cf. ECJ, loc. cit., paras. 61, 66 and 68). In this examination, the ECJ in no way focuses on whether the justifying legal basis describes the disputed data processing itself. The legal basis for data processing in FS Pfeil, 2022, 721ff [734]). This view corresponds to the view of the ECJ in C-136/17, according to which Article 9, Paragraph 2, Litera g, GDPR allows the processing of the special categories of data referred to in Article 9, when it is necessary for reasons of significant public interest, namely on the basis of Union law or the law of a Member State, which is proportionate to the objective pursued, respects the essence of the right to data protection and provides for appropriate and specific measures to safeguard the fundamental rights and interests of the data subject, as the ECJ has stated in this Article 11, the right to free information protected by the Charter, provides a possible justifying legal basis for the data processing at issue there (see ECJ loc. cit., paras. 61, 66 and 68). In this examination, the ECJ in no way focuses on whether the justifying legal basis describes the disputed data processing itself.
62 5.3.2.3. Given this legal situation, the following emerges on a case-by-case basis:
First of all, it should be noted that the question of the existence of a public interest in the tasks assigned to the mP by Sections 29, ff. AMSG should be noted - also by the appeal - is not disputed.
63 § 29 para. 1 AMSG defines the task of the mP; Section 29 Paragraph 2 AMSG states the objectives of the mP's activity to be achieved in connection with the fulfillment of this task. Section 30 (2) AMSG also explicitly norms the mP's obligation to ensure labor market monitoring and statistics. By detailing the principles on which the fulfillment of tasks must be based, in Section 31 AMSG it is also clear which requirements must be met when fulfilling the task. Section 25 (1) AMSG limits the authorization for processing to the statutory task and to such processing that is an essential prerequisite for the fulfillment of the task. By listing the data and directly linking it to the permitted processing purpose, it is clearly and foreseeably regulated for the data subject which data may be processed for which purpose. There is no doubt that Sections 29 to 31 AMSG enact the task in which the mP is authorized to process the data listed in Section 25 Paragraph 1 AMSG, and thus the framework for the permitted purpose of data processing is sufficiently clear describe precisely. It is obvious that the assessment of a job seeker's labor market prospects is a relevant parameter for efficient job placement. It can therefore be assumed that a subject to the law, given the task assigned to the mP and the services to be provided, Paragraph 29, paragraph one, AMSG defines the task of the mP; Paragraph 29, paragraph 2, AMSG states the objectives of the mP's activity to be achieved in connection with the fulfillment of this task. Paragraph 30, Paragraph 2, AMSG also explicitly specifies the mP's obligation to ensure labor market monitoring and statistics. By detailing the principles on which the fulfillment of tasks must be based, in Section 31, AMSG, it is also clear which requirements must be met when fulfilling the task. Paragraph 25, paragraph one, AMSG limits the authorization for processing to the statutory task and to such processing that is an essential prerequisite for the fulfillment of the task. By listing the data and directly linking it to the permitted processing purpose, it is clearly and foreseeably regulated for the data subject which data may be processed for which purpose. There is no doubt that paragraphs 29 to 31 of the AMSG make the task in connection with which the mP is authorized to process the data listed in paragraph 25, paragraph one of the AMSG sufficiently clear and thus the framework for the permitted purpose of data processing describe precisely. It is obvious that the assessment of a job seeker's labor market prospects is a relevant parameter for efficient job placement. It can therefore be assumed that, in view of the task assigned to the mP and the services to be provided - in particular the care plan to be drawn up in accordance with Section 38c of the AMSG - in particular the care plan to be drawn up in accordance with Section 38c of the AMSG - it is sufficiently clear to a person subject to the law that that processing the data listed in Section 25 Paragraph 1 AMSG is also useful for assessing the positioning of the job seeker in question on the labor market and can therefore be used for this purpose, which is necessary for the fulfillment of the public task. it is made sufficiently clear that processing the data listed in paragraph 25, paragraph one, AMSG is also useful for assessing the positioning of the respective job seeker in the labor market and thus for this purpose, which is necessary for the fulfillment of the public task, can be used.
64 Furthermore, with regard to the health data affected on a case-by-case basis, which are to be counted among the special categories of personal data within the meaning of Article 9 Para. 1 GDPR, it should be noted that, according to the provisions of the case law of the ECJ cited above, there can be no doubt that the legislature's objective of the best possible integration of job seekers in the national labor market pursues a significant public interest within the meaning of Article 9 Paragraph 2 Letter g of the GDPR, as this objective is related to the efficient use of state support resources and optimization of social satisfaction job seekers on the one hand and the best possible supply of the labor market on the other. The fact that case-related data processing is proportionate to the objectives pursued by this legally assigned task is not disputed and is not apparent. This is particularly so because, according to the findings in the contested decision, only those health data are processed that restrict the performance of activities on the labor market and are therefore directly related to the employment placement. Furthermore, with regard to the health data affected on a case-by-case basis, those belonging to the special categories personal data within the meaning of Article 9, paragraph one, GDPR are to be counted, it should be noted that, according to the provisions of the case law of the ECJ cited above, there can be no doubt that the legislature's objective of the best possible integration of job-seekers in the national labor market is one pursues considerable public interest within the meaning of Article 9, Paragraph 2, Litera g, GDPR, as this objective is related to the efficient use of state support resources and optimization of social satisfaction of job seekers on the one hand and the best possible supply of the labor market on the other. The fact that case-related data processing is proportionate to the objectives pursued by this legally assigned task is not disputed and is not apparent. This is particularly so because, according to the findings in the contested finding, only those health data are processed that restrict the performance of activities on the labor market and are therefore directly related to the employment placement.
65 The provisions on the confidentiality obligation of the mP bodies in Section 27 AMSG and the detailed provisions on the disclosure and storage of data in Sections 25 Paragraphs 2 to 11 AMSG leave no doubt as to the fulfillment of the requirements of Article 9 Paragraph 2 lit. g GDPR required measures to safeguard the essence of the fundamental right to protection of personal data enshrined in Art Disclosure and retention of the data in Section 25, Paragraphs 2 to 11 AMSG leave no doubt as to the fulfillment of the measures required by Article 9, Paragraph 2, Litera g, GDPR to preserve the essence of the fundamental right to the protection of personal data enshrined in Article 8, GRC on the concept of the essential content guarantee, see ECJ April 8, 2014, Digital Rights Irefond et al., C‑293/12 and C‑594/12, para. 40; see also , C‑293/12 and C‑594/12, paragraph 40; also compare Bäcker in Kühling/Buchner, DSG-VO, BDSG, commentary, 3rd edition, 2020, Art. 23 para. 57) as well as the fundamental rights and interests of the persons concerned. The revision does not bring forward anything concrete that calls this view into question.VO, BDSG, Commentary, 3rd edition, 2020, Article 23, paragraph 57) as well as the fundamental rights and interests of the persons affected. The revision does not bring forward anything concrete that calls this view into question.
66 Insofar as the appeal repeatedly refers to the fact that the BVwG did not take into account the character of profiling as a special processing procedure in connection with the requirements of Articles 6 and 9 GDPR, it is not clear from the statements to what extent the provisions mentioned impose other requirements for this form of processing should provide the justifying legal basis, especially since neither Art. 6 nor Art. 9 GDPR refers to Art. 4 Z 4 GDPR. The fact that the revision may agree that profiling represents a special form of processing does not change this view per se. Rather, the special nature of profiling is taken into account in Art. 22 GDPR, whereby the dangers of this form of processing are reflected in the prohibition formulated there or in the justifications there. Insofar as the revision repeatedly refers to the BVwG as having the character of profiling as a special processing procedure If the requirements of Articles 6 and 9 of the GDPR are not observed, it is not clear from the statements to what extent the provisions mentioned should impose different requirements on the justifying legal basis for this form of processing, especially since neither Article 6 nor Article 9 of the GDPR refers to Article 4, paragraph 4, GDPR. The fact that the revision may agree that profiling represents a special form of processing does not change this view per se. Rather, the specificity of profiling is taken into account in Article 22, GDPR, whereby the riskiness of this form of processing is reflected in the prohibition formulated there and in the justifications there.
In this respect, the revision - including in this context - is based on the requirements of Section 1 Paragraph 2 of the DSG, the jurisprudence of the Constitutional Court on the legality principle of Article 18 B on the requirements of paragraph one, paragraph 2 of the DSG, the jurisprudence of the Constitutional Court on Legality principle of Article 18, B-VG and the insufficient legal basis of the Federal Directive due to its insufficient binding nature refer to the comments on point 5.2. to point out.
67 The revision points out that in order to exercise the rights concerned, it is necessary that “the data collection must be carried out in a manner that is foreseeable for those affected [...] and in a form that can be contested and properly verified”. It should be noted that data collection itself is not at issue in this case. Rather, the subject of the appeal proceedings is the prohibition on the processing of the data issued by the applicant. The data to be collected is also listed in detail in Section 25 Para. 1 AMSG, so that there is no doubt about the predictability of the type of data to be collected. is not even in question in this case. Rather, the subject of the appeal proceedings is the prohibition on the processing of the data issued by the applicant. The data to be collected is also listed in detail in paragraph 25, paragraph one, AMSG, so that there is no doubt about the predictability of the type of data to be collected.
68 If the revision also refers to the fact that it follows from recital 41, second sentence of the GDPR, that it must be clear and foreseeable from the legal basis itself what data processing will be carried out, this cannot be reconciled with the wording of the recital. This states that “the relevant legal basis or legislative measure [...] should be clear and precise and its application [...] should be foreseeable for those subject to the law in accordance with the case law of the Court of Justice of the European Union and the European Court of Human Rights [should]". It is not clear to what extent this recital should determine the content of the provision of Article 6 Paragraph 1 Letter e GDPR, according to which the purpose of the processing must be necessary for the fulfillment of a public task. Art. 6 Para. 3 GDPR, on the other hand, expressly speaks of the need for a legal basis from which the purpose of the processing must be inferred, or the relevant task in the public interest to which the data processing must be based. Insofar as the revision in this context repeatedly returns to Section 1 Paragraph 2 Second Sentence DSG, it is again based on the statements under point 5.2. to point out that this legal provision does not apply on a case-by-case basis. If the revision also refers to the fact that it follows from recital 41, second sentence of the GDPR, that it must be clear and predictable from the legal basis itself which data processing will be carried out, this is also the case inconsistent with the wording of the recital. This states that “the relevant legal basis or legislative measure [...] should be clear and precise and its application [...] should be foreseeable for those subject to the law in accordance with the case law of the Court of Justice of the European Union and the European Court of Human Rights [should]". It is not clear to what extent this recital should determine the content of Article 6, paragraph one, Litera e, GDPR, according to which the purpose of the processing must be necessary for the fulfillment of a public task. Article 6, paragraph 3, GDPR, on the other hand, expressly speaks of the need for a legal basis from which the purpose of the processing must be inferred, or the relevant task in the public interest to which the data processing must be based. Insofar as the revision in this context repeatedly returns to paragraph one, paragraph 2, second sentence of the DSG, it in turn refers to the statements under point 5.2. to point out that this legal provision does not apply on a case-by-case basis.
69 The judgment of the ECJ of October 6, 2020, C-511/18, C-512/18 and C-520/18, which was used by the appeal as a benchmark for the sufficient specification of a legal basis, was issued on the interpretation of Article 15 Paragraph 1 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and the protection of privacy in electronic communications (Privacy Directive for electronic communications, OJ 2002, L 201, p. 37). This ECJ ruling is not relevant because it deals with the principle of data minimization in accordance with Article 5 lit. c GDPR. The appellant's decision was not based on this principle.520/18, was issued on the interpretation of Article 15, paragraph one, of Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 on the processing of personal data and the Protection of privacy in electronic communications (Electronic Communications Privacy Directive, OJ 2002 L 201, p. 37). This ECJ ruling is not relevant because it deals with the principle of data minimization in accordance with Article 5, Litera c, GDPR. The appellant's decision was not based on this principle.
70 The revision must be agreed that when processing special categories of personal data within the meaning of Art. 9 Para. 1 GDPR, the special intervention circumstances of Art. 9 Para. 2 GDPR are relevant. In this context, she criticizes the reasoning of the BVwG, according to which a review of Section 25 Paragraph 10 AMSG to ensure compliance with the requirements of necessary data security measures was not necessary because this was not the subject of the review by the applicant for the appeal. The appeal is to be agreed with, that when processing special categories of personal data within the meaning of Article 9, paragraph one, GDPR, the special intervention circumstances of Article 9, paragraph 2, GDPR are relevant. In this context, she criticizes the reasoning of the BVwG, according to which a review of paragraph 25, paragraph 10, AMSG did not have to be carried out to ensure that the requirements of necessary data security measures were met because this was not the subject of the review by the applicant for the appeal.
71 Even if this view of the BVwG were not correct, the revision does not explain to what extent the guarantees for data security in the present case - deviating from that under 5.3.2.1. assessment presented - would be inadequate. The applicant for the appeal does not put forward anything that would lead to the assumption that the confidentiality obligations of the bodies and in particular the ban on disclosing health data to employers in accordance with Section 25 Paragraph 8 AMSG as well as the legal precautions regarding the storage and guarantee of data security are not applicable on a case-by-case basis the data is adequately secured in accordance with the provisions of the GDPR. would be inadequate. The applicant for the appeal does not put forward anything that would allow the assumption that the confidentiality obligations of the bodies and in particular the prohibition on disclosing health data in accordance with Section 25, Paragraph 8, AMSG to employers as well as the legal precautions regarding the storage and guarantee of data security are not relevant on a case-by-case basis the data is adequately secured in accordance with the provisions of the GDPR.
5.4. On the question of the existence of an automated decision within the meaning of Article 22 Paragraph 1 GDPR On the question of the existence of an automated decision within the meaning of Article 22 Paragraph 1 GDPR
72 The appeal repeatedly points out that the BVwG did not take into account the nature of profiling as a special processing procedure. It follows from Recital 41, second sentence of the GDPR, that it must be clear and predictable from the legal basis itself what data processing will be carried out. The job seekers also ran the risk that AMAS' assumptions could be adopted without further processing.
73 With this argument, the appeal raises the lawfulness of the processing in question against the background of Article 22, GDPR.With this argument, the appeal raises the lawfulness of the processing in question against the background of Article 22, GDPR.
74 5.4.1. In its recent judgment of December 7, 2023, C-634/21, SCHUFA Holding [Scoring] - which remains to be seen for the present appeal decision - the ECJ issued a decision on the request for a preliminary ruling pursuant to Article 267 TFEU, submitted by the Wiesbaden Administrative Court (Germany). of October 1, 2021, regarding the interpretation of Article 22 Para. 1 GDPR stated as follows: on the question submitted with a request for a preliminary ruling under Article 267, TFEU, submitted by the Wiesbaden Administrative Court (Germany) by order of October 1, 2021 regarding the interpretation of Article 22, paragraph one, GDPR as follows:
“40 By its first question, the referring court essentially wants to know whether Article 22(1) of the GDPR is to be interpreted as meaning that an “automated decision in individual cases” within the meaning of that provision exists if a probability value based on personal data relating to a person in relation to their ability to fulfill future payment obligations is automatically created by a credit reporting agency, provided that this probability value determines whether a third party to whom this probability value is transmitted establishes, executes or terminates a contractual relationship with this person."40 With his first question The referring court essentially wants to know whether Article 22, paragraph one, GDPR must be interpreted as meaning that an 'automated individual decision' within the meaning of that provision occurs when a probability value based on personal data relating to a person with regard to their ability to Fulfillment of future payment obligations is automatically created by a credit reporting agency, provided that this probability value determines whether a third party to whom this probability value is transmitted establishes, executes or terminates a contractual relationship with this person.
41 In order to answer that question, it should first be noted that, when interpreting a provision of EU law, it is not only the wording of that provision that is taken into account, but also the context in which it is placed and the purposes and objectives pursued by the act of which it forms part must be taken into account (judgment of June 22, 2023, Pankki S, C‑579/21, EU:C:2023:501, paragraph 38 and the case law cited therein).
42 As regards the wording of Article 22 Paragraph 1 GDPR, this provision provides that a data subject has the right not to rely solely on automated processing 42 As regards the wording of Article 22 Paragraph 1 GDPR, so This provision provides that a data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him.
43 The applicability of this provision therefore depends on three cumulative conditions, namely that, firstly, there must be a 'decision'; the person concerned] must have legal effect or have a similar significant impact on the person concerned.
44 As regards, first, the condition of the existence of a decision, it should be noted that the term ‘decision’ within the meaning of Article 22(1) of the GDPR is not defined in that regulation. However, it is clear from the wording of this provision that this term refers not only to actions that have legal effects on the person concerned, but also to actions that significantly affect that person in a similar way.44 Firstly, what is the requirement for existence As regards a decision, it should be noted that the term 'decision' within the meaning of Article 22, paragraph one, GDPR is not defined in this Regulation. However, it is clear from the very wording of this provision that this term refers not only to actions that have legal effects on the data subject, but also to actions that similarly significantly affect that person.
45 The broad meaning of the term 'decision' is confirmed by recital 71 of the GDPR, according to which a decision to assess personal aspects affecting a person 'may include a measure' which has either 'legal effect on the data subject ' develops or 'significantly affects it in a similar way', although the person concerned should have the right not to be subject to such a decision. According to this recital, the term ‘decision’ includes, for example, the automatic rejection of an online credit application or online recruitment process without any human intervention.
46 Since the term 'decision' within the meaning of Article 22(1) of the GDPR can therefore, as the Advocate General pointed out in point 38 of his Opinion, encompass several actions which may affect the data subject in many ways, this term is broad enough to include the result of the calculation of a person's ability to meet future payment obligations in the form of a probabilistic value.46 Since the term 'decision' within the meaning of Article 22, paragraph one, GDPR is therefore, as the Advocate General stated in point 38 of his Opinion carried out may include several actions that may affect the person concerned in a variety of ways, this term is broad enough to include the result of the calculation of the person's ability to meet future payment obligations in the form of a probabilistic value.
47 Secondly, as regards the requirement that the decision within the meaning of Article 22 paragraph 1 of the GDPR is based exclusively on automated processing on automated processing, including profiling, it is clear, as the Advocate General stated in point 33 of his Opinion, that an activity such as that of SCHUFA falls within the definition of 'profiling' in Article 4 point 4 DSGVO complies and that this requirement is therefore met in the present case; The wording of the first question referred expressly refers to the automated creation of a probability value based on personal data about a person with regard to their ability to service a loan in the future. [must be based]', it is clear, as the Advocate General stated in point 33 of his Opinion, that an activity such as that of SCHUFA corresponds to the definition of 'profiling' in Article 4, No. 4 GDPR and that this requirement is therefore met in the present case is fulfilled; The wording of the first question referred expressly refers to the automated creation of a probability value based on personal data about a person with regard to their ability to service a loan in the future.
48 Thirdly, as regards the requirement that the decision must have a 'legal effect' on the person concerned or have a 'similarly significant effect' on the person concerned, it is clear from the content of the first question that the action of the third party to whom the probability value is transmitted is 'significantly' guided by this value. According to the factual findings of the referring court, in the case of a loan application submitted by a consumer to a bank, an insufficient probability value leads in almost all cases to the bank refusing to grant the loan applied for.
49 Consequently, it must be assumed that the third condition on which the application of Article 22(1) GDPR depends is also met, since a probability value such as that at issue in the main proceedings at least significantly affects the data subject.49 It must therefore be assumed that that the third condition on which the application of Article 22, paragraph one, GDPR depends is also met, since a probability value such as that at issue in the main proceedings at least significantly affects the data subject.
50 Therefore, in circumstances such as those in the main proceedings, where the probability value determined by a credit reporting agency and communicated to a bank plays a decisive role in the granting of a loan, the determination of that value must in itself be classified as a decision within the meaning of Article 22(1). 1 GDPR 'has legal effect on a data subject or similarly significantly affects them'.50 Therefore, in circumstances such as those in the main proceedings, in which the probability value determined by a credit reporting agency and communicated to a bank plays a decisive role in the granting of a loan plays to classify the determination of this value as such as a decision which 'produces legal effects or similarly significantly affects a data subject' within the meaning of Article 22, paragraph one, GDPR.
51 This interpretation is supported by the context in which Article 22 paragraph 1 GDPR stands and by the purposes and objectives pursued by this regulation.51 This interpretation is supported by the context in which Article 22 paragraph one , GDPR stands and is supported by the purposes and objectives pursued by this regulation.
52 In this regard, it should be noted that, as the Advocate General stated in point 31 of his Opinion, Article 22(1) of the GDPR confers on the data subject the 'right' not to rely solely on automated processing. 52 In this regard, it should be noted that , as the Advocate General noted in point 31 of his Opinion, Article 22(1) of the GDPR confers on the data subject the 'right' not to be subject to a decision based solely on automated processing, including profiling. This provision establishes a fundamental prohibition, the violation of which does not need to be asserted individually by such a person.
53 As is apparent from Article 22(2) of the GDPR, read in conjunction with recital 71 of that regulation, the adoption of a decision based solely on automated processing is permitted only in the cases referred to in Article 22(2), that is to say: that is, if it is necessary for the conclusion or performance of a contract between the data subject and the controller (point (a)), if it is permitted by Union or Member State law to which the controller is subject (point (b). ) or if it takes place with the express consent of the data subject (letter c).53 As follows from Article 22, Paragraph 2, GDPR in conjunction with recital 71 of this Regulation, the adoption of an order based exclusively on automated processing is prohibited Decision admissible only in the cases specified in Article 22, paragraph 2, i.e. that is, if it is necessary for the conclusion or performance of a contract between the data subject and the controller (point (a)), if it is permitted by Union or Member State law to which the controller is subject (point (b). ) or if it takes place with the express consent of the data subject (letter c).
54 Furthermore, Article 22(2)(b) and (3) GDPR provides that appropriate measures must be taken to safeguard the rights and freedoms and legitimate interests of the data subject. In the cases referred to in Article 22(2)(a) and (c) of this Regulation, the controller shall grant the data subject at least the right to obtain human intervention, to express his or her point of view and to challenge the decision.54 Furthermore, Article 22 , paragraph 2, letter b and paragraph 3, GDPR stipulates that appropriate measures must be taken to safeguard the rights and freedoms and legitimate interests of the data subject. In the cases referred to in Article 22, paragraph 2, points (a) and (c) of this Regulation, the controller shall grant the data subject at least the right to obtain human intervention, to express his or her point of view and to challenge the decision.
55 Furthermore, according to Article 22 Paragraph 4 of the GDPR, automated decisions in individual cases within the meaning of this Article 22 may only be based in certain special cases on special categories of personal data according to Article 9 Paragraph 1 of this regulation.55 Furthermore, according to Article 22 Paragraph 4, GDPR, automated decisions in individual cases within the meaning of this Article 22 are only based on special categories of personal data in accordance with Article 9, paragraph one, of this Regulation in certain special cases.
56 Furthermore, in the case of automated decision-making such as that within the meaning of Article 22 Paragraph 1 GDPR, the controller is subject to additional information obligations in accordance with Article 13 Paragraph 2 Letter f and Article 14 Paragraph 2 Letter g of this Regulation. On the other hand, according to Article 15 Paragraph 1 Letter h of the GDPR, the data subject has a right of information to the person responsible for processing, which in particular requires meaningful information about the logic involved as well as the scope and intended effects of such processing for the data subject ' concerns.56 Furthermore, in the case of automated decision-making such as that within the meaning of Article 22, paragraph one, GDPR, the controller is subject to additional information obligations in accordance with Article 13, paragraph 2, letter f and Article 14, paragraph 2, letter g this regulation. On the other hand, according to Article 15, paragraph one, letter h of the GDPR, the data subject has a right of information to the person responsible for processing, which in particular requires meaningful information about the logic involved as well as the scope and intended effects of such processing for the data subject ' regards.
57 These higher requirements for the lawfulness of automated decision-making as well as the additional information obligations of the controller and the associated additional information rights of the data subject are explained by the purpose pursued by Article 22 GDPR, which is to protect individuals from the particular risks to their rights and freedoms associated with the automated processing of personal data 57 These higher requirements for the lawfulness of automated decision-making as well as the additional information obligations of the controller and the associated additional information rights of the data subject are explained by the purpose pursued by Article 22, GDPR which is to protect individuals from the particular risks to their rights and freedoms associated with the automated processing of personal data - including profiling.
58 That processing requires, as follows from recital 71 of the GDPR, the assessment of personal aspects relating to the natural person concerned by that processing, in particular to analyze or predict aspects relating to his or her work performance, economic situation, health, preferences or interests, reliability or their behavior, their location or change of location.
59 According to this recital, these specific risks are likely to affect the interests and rights of the data subject, in particular with regard to any discriminatory effects against natural persons based on race, ethnic origin, political opinion, religion or belief, trade union membership, genetic disposition or state of health and sexual orientation. Therefore, according to this recital, fair and transparent processing should be ensured to the data subject, in particular through the use of appropriate mathematical or statistical methods for profiling and through technical and organizational measures that adequately ensure that the risk of errors is minimised becomes.
60 The interpretation set out in paragraphs 42 to 50 of this judgment and, in particular, the broad meaning of the term 'decision' within the meaning of Article 22(1) of the GDPR reinforces the effective protection at which that provision is intended.60 The interpretation set out in paragraphs 42 to 50 of this judgment, and in particular the broad meaning of the term 'decision' within the meaning of Article 22, paragraph one, of the GDPR, reinforces the effective protection that this provision is intended to provide.
61 On the other hand, in circumstances such as those in the main proceedings, in which three actors are involved, there would be a risk of circumvention of Article 22 of the GDPR and, consequently, a gap in legal protection if preference were given to a narrow interpretation of that provision, according to which the determination of the probability value only as preparatory act and only the act taken by the third party can, where appropriate, be classified as a 'decision' within the meaning of Article 22(1) of that regulation.61 However, in circumstances such as those in the main proceedings, in which three actors are involved, there would be a risk a circumvention of Article 22, GDPR and consequently a gap in legal protection if preference were given to a narrow interpretation of this provision, according to which the determination of the probability value is to be viewed only as a preparatory act and only the act carried out by the third party may be considered a 'decision' within the meaning of Article 22, paragraph one, of this Regulation can be classified.
62 In that case, the determination of a probability value such as that at issue in the main proceedings would not be subject to the specific requirements of Article 22(2) to (4) of the GDPR, even though that procedure is based on automated processing and has effects that are significant for the data subject since the actions of the third party to whom that probability value is communicated are largely guided by that third party.62 In this case, the determination of a probability value such as that at issue in the main proceedings would not meet the specific requirements of Article 22, paragraphs 2 to 4 GDPR, although this procedure is based on automated processing and has effects that significantly affect the data subject, since the actions of the third party to which this probability value is transmitted are largely controlled by the third party.
63 Furthermore, as the Advocate General pointed out in point 48 of his Opinion, the data subject could, on the one hand, exercise his right to information about the information referred to in Article 15(1)(h) of the GDPR from the credit reporting agency that determines the probability value relating to him specific information in the absence of automated decision-making by that company. On the other hand, the third party would be 63 Furthermore, as the Advocate General stated in point 48 of his Opinion, the person concerned could, on the one hand, exercise his right to information about the information provided for in Article 15, paragraph one, from the credit reporting agency that determines the probability value relating to him. You may not use the specific information referred to in letter h of the GDPR if there is no automated decision-making by this company. On the other hand, the third party - assuming that the act carried out by him falls under Article 22 paragraph 1 of the GDPR since it met the conditions for the application of that provision - assuming that the act carried out by him falls under Article 22, Paragraph one, GDPR, as it met the requirements for the application of this provision, would not be able to provide this specific information because it does not generally have it.
64 The fact that the determination of a probability value such as that at issue in the main proceedings is covered by Article 22(1) of the GDPR means, as stated in paragraphs 53 to 55 of this judgment, that it is prohibited unless , one of the exceptions mentioned in Article 22 Paragraph 2 GDPR is applicable and the special requirements of Article 22 Paragraph 3 and 4 GDPR are met.64 That the determination of a probability value such as that at issue in the main proceedings is governed by Article 22 Paragraph one, GDPR, has the effect, as stated in paragraphs 53 to 55 of this judgment, that it is prohibited unless one of the exceptions referred to in Article 22, paragraph 2, GDPR is applicable and the specific ones Requirements of Article 22, paragraphs 3 and 4 GDPR are met.
65 As regards, in particular, Article 22(2)(b) of the GDPR, to which the referring court refers, it is clear from the very wording of that provision that the national legislation allowing the adoption of an automated decision in individual cases requires appropriate measures to ensure protection of the rights and freedoms and the legitimate interests of the data subject.65 As regards in particular Article 22, paragraph 2, letter b of the GDPR, to which the referring court refers, it is clear from the wording of this provision that the national Legislation that allows the adoption of an automated decision in individual cases must contain appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject.
66 In the light of recital 71 of the GDPR, such measures must include, in particular, the obligation of the controller to use appropriate mathematical or statistical procedures, to adopt technical and organizational measures that adequately ensure that the risk of errors is minimized and Errors are corrected and personal data secured in a manner that takes into account potential threats to the interests and rights of the data subject, and in particular to prevent discriminatory effects against him or her. These measures also include at least the right of the data subject to obtain human intervention from the controller, to express his or her point of view and to challenge the decision taken against him or her.
67 It should also be noted that, according to settled case-law of the Court, any processing of personal data must comply with the principles for the processing of personal data set out in Article 5 of the GDPR and, having regard to the principle of processing of personal data provided for in Article 5(1)(a). The lawfulness of the processing must meet one of the conditions for the lawfulness of the processing set out in Article 6 of this Regulation (judgment of 20 October 2022, Digi, C‑77/21, EU:C:2022:805, paragraph 49 and those therein). case law cited). The controller must be able to demonstrate compliance with these principles in accordance with the principle of accountability set out in Article 5 (2) GDPR (see, in this sense, judgment of October 20, 2022, Digi, C‑77/21, EU:C:2022: 805, para. 24).67 It should also be noted that, according to the settled case-law of the Court, any processing of personal data must be in accordance with the principles for the processing of personal data set out in Article 5, GDPR and in view of the provisions of Article 5, paragraph one , point (a) of the principle of lawfulness of processing provided for, one of the conditions for the lawfulness of processing set out in Article 6 of this Regulation must be met (judgment of 20 October 2022, Digi, C‑77/21, EU:C:2022:805 , paragraph 49 and the case law cited there). The controller must be able to demonstrate compliance with these principles in accordance with the principle of accountability set out in Article 5, paragraph 2, GDPR see, in this sense, judgment of October 20, 2022, Digi, C‑77/21, EU:C:2022:805, No. 24).
68 If the legislation of a Member State allows the adoption of a decision based solely on automated processing in accordance with Article 22(2)(b) of the GDPR, such processing must therefore not only be carried out in accordance with the latter provision and in Article 22(4) of the GDPR not only meet the requirements set out in Articles 5 and 6 of this Regulation. Consequently, Member States may not adopt legislation pursuant to Article 22(2)(b) of the GDPR authorizing profiling without respecting the requirements of Articles 5 and 6, as interpreted by the case-law of the Court of Justice.68 According to the legislation, one Member State is permitted to adopt a decision based solely on automated processing in accordance with Article 22, paragraph 2, letter b of the GDPR, such processing must therefore not only meet the conditions set out in the latter provision and in Article 22, paragraph 4, GDPR, but also the requirements in Articles 5 and 6 of this Regulation. Consequently, Member States may not adopt legislation pursuant to Article 22, paragraph 2, point (b) of the GDPR authorizing profiling without respecting the requirements of these Articles 5 and 6, as interpreted by the case law of the Court of Justice.
69 As regards, in particular, the conditions of legality provided for in Article 6(1)(a), (b) and (f) of the GDPR, which may apply in a case such as that at issue in the main proceedings, Member States are not empowered to lay down supplementary rules for the application of those Conditions must be provided for, since such a power is limited according to Article 6 Paragraph 3 GDPR to the reasons set out in Article 6 Paragraph 1 Letters c and e of this Regulation.69 In particular, the provisions in Article 6 Paragraph 1 Letter a , b and f of the GDPR, which may apply in a case such as that in the main proceedings, Member States are not empowered to lay down additional rules for the application of those conditions, since such a power is provided for in Article 6, paragraph 3, GDPR is limited to the reasons set out in Article 6, paragraph one, letters c and e of this Regulation.
70 As far as Article 6 (1) (f) of the GDPR is concerned, in accordance with Article 22 (2) (b) of the GDPR, Member States may not deviate from the requirements resulting from the case law of the Court of Justice following the judgment of 7. December 2023, SCHUFA Holding (residual debt discharge) (C‑26/22 and C‑64/22, EU:C:2023:XXX), in particular not by conclusively prescribing the result of the balancing of the conflicting rights and interests (see, in this sense, judgment of October 19, 2016, Breyer, C‑582/14, EU:C:2016:779, para. 62).70 What also concerns Article 6, paragraph one, letter f of the GDPR in detail , pursuant to Article 22, Paragraph 2, Letter b of the GDPR, Member States may not deviate from the requirements resulting from the case law of the Court of Justice following the judgment of December 7, 2023, SCHUFA Holding (Residual Debt Discharge) (C‑26/22 and C ‑64/22, EU:C:2023:XXX), in particular not because they conclusively prescribe the result of the balancing of the conflicting rights and interests, see in this sense judgment of October 19, 2016, Breyer, C‑582 /14, EU:C:2016:779, paragraph 62).
71 In the present case, the referring court points out that only Section 31 BDSG could constitute a national legal basis within the meaning of Article 22 Paragraph 2 Letter b GDPR. However, this court has serious concerns regarding the compatibility of this Section 31 BDSG with EU law. If this provision were to be considered incompatible with EU law, SCHUFA would not only be acting without a legal basis, but would ipso iure violate the prohibition set out in Article 22(1) GDPR.71 In the present case, the referring court points out that only Paragraph 31, BDSG could represent a national legal basis within the meaning of Article 22, Paragraph 2, Letter b of the GDPR. However, this court has serious concerns regarding the compatibility of this paragraph 31, BDSG with EU law. If this provision were to be considered incompatible with Union law, SCHUFA would not only be acting without a legal basis, but would ipso iure violate the prohibition set out in Article 22, paragraph one, GDPR.
72 In this respect, it is for the referring court to examine whether Section 31 BDSG can be qualified as a legal basis within the meaning of Article 22 Paragraph 2 Letter b GDPR, according to which it would be permissible to make a decision based exclusively on automated processing enacted. Should the referring court come to the conclusion that Section 31 represents such a legal basis, it would still have to examine whether the provisions laid down in Article 22 Paragraph 2 Letter b and Paragraph 4 GDPR and Articles 5 and 6 GDPR Requirements are met in the present case.72 In this respect, it is for the referring court to examine whether Paragraph 31, BDSG can be qualified as a legal basis within the meaning of Article 22, Paragraph 2, Letter b of the GDPR, according to which it would be permissible to make a decision based solely on automated processing. If the referring court comes to the conclusion that paragraph 31 constitutes such a legal basis, it would still have to examine whether the provisions of Article 22, paragraph 2, letter b and paragraph 4 of the GDPR and Articles 5 and 6 of the GDPR requirements are met in this case.
73 In view of the foregoing, the answer to the first question is that Article 22(1) of the GDPR must be interpreted as meaning that an 'automated decision in individual cases' within the meaning of that provision occurs when a probability value based on personal data relating to a person in relation to whose ability to fulfill future payment obligations is automatically created by a credit reporting agency, provided that this probability value determines whether a third party to whom this probability value is transmitted establishes, executes or terminates a contractual relationship with this person."73 After all of this, the first question is to answer that Article 22, paragraph one, GDPR must be interpreted as meaning that an 'automated individual decision' within the meaning of this provision occurs when a probability value based on personal data about an individual with regard to his or her ability to meet future payment obligations by a Credit reporting agency is created automatically, provided that this probability value determines whether a third party to whom this probability value is transmitted establishes, executes or terminates a contractual relationship with this person.
75 5.4.2. From the reasons for the decision of the ECJ reproduced above, it can be concluded that the use of automated processing - such as AMAS - as such can already constitute a decision within the meaning of Article 22 (1) GDPR, which has no justifiable legal basis in the sense of Article 22 Paragraph 2 Letter b GDPR, as such can already constitute a decision within the meaning of Article 22 Paragraph 1 GDPR, which has no justifiable legal basis within the meaning of Article 22 Paragraph 2 Litera b GDPR The justifications for the need for an automated decision to conclude a contract within the meaning of Article 22 Paragraph 2 Letter a of the GDPR or the existence of consent within the meaning of Article 22 Paragraph 2 Letter c of the GDPR are not at issue in each case the necessity of the automated decision to conclude a contract within the meaning of Article 22, Paragraph 2, Litera a, GDPR or the existence of consent within the meaning of Article 22, Paragraph 2, Litera c, GDPR are not at issue in each case - the ban of Article 22 Paragraph 1 GDPR. If such an automated decision exists, the relevant national legislation must allow the adoption of the automated decision in individual cases and must also contain appropriate measures to safeguard the rights and freedoms and the legitimate interests of the data subject (cf. the ECJ's comments in C-634/ 21, paragraph 65). is subject to the prohibition of Article 22, paragraph one, GDPR. If such an automated decision exists, the relevant national legislation must allow the adoption of the automated decision in individual cases and must also contain appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject (see the ECJ's comments in C-634/21, No. 65).
76 According to the comments in the ECJ judgment cited, automated data processing - such as profiling - itself constitutes an “automated decision in individual cases” within the meaning of Article 22 (1) GDPR if the result of this automated processing is itself an “automated one” for a specific person Decision in individual cases” within the meaning of Article 22, paragraph one, GDPR, if the result of this automated processing is relevant for a specific - further - decision insofar as the actions of the third party are “significantly guided” by the profiling in question, and so on significantly affects the data subject (cf. the ECJ's statements in C decision is relevant in that the actions of the third party are "significantly guided" by the profiling in question, and thus significantly affects the data subject cf. the ECJ's statements in C-634/21 , paragraphs 48 and 73).
77 5.4.3. Depending on the case, this results in the following:
78 5.4.3.1. First of all, it should be noted that the classification of the mP's automated processing of the personal data of the job seekers concerned (in AMAS), based on a mathematical-statistical program, as “profiling” within the meaning of Article 4, Paragraph 4 of the GDPR the standard of the case law of the ECJ in C First of all, it should be pointed out that the classification of the automated processing of the personal data of the job seekers concerned (in AMAS) used by the mP, based on a mathematical-statistical program, as “profiling” in the sense of Article 4, Paragraph 4, GDPR cannot be doubted according to the case law of the ECJ in C-634/21.
79 Now, according to the ECJ, automated processing - here the determination of the IC value, which determines the probability of integration into the labor market - itself (already) constitutes an “automated decision” within the meaning of Article 22 (1). DSGVO, provided that this probability value significantly determines the allocation to the intended customer groups and thus has a legal effect on the affected job seekers or significantly affects them in a similar way. itself (already) to be viewed as an “automated decision” within the meaning of Article 22, paragraph one, GDPR, provided that this probability value significantly determines the allocation to the intended customer groups and thus has a legal effect on the job seekers affected or significantly affects them in a similar way .
80 The fact that the final decision on customer group assignment lies with the mP consultants cannot prevent the AMAS from being qualified as an automated decision within the meaning of Article 22 Para. 1 GDPR, as the ECJ's judgment is based on the facts that Ultimately, the potential lender decides on the question of the conclusion of the loan agreement in question. The fact that the final decision on customer group assignment lies with the mP consultants cannot prevent the AMAS from being qualified as an automated decision within the meaning of Article 22, paragraph one, GDPR, as the ECJ's judgment is based on the fact that Ultimately, the potential lender decides on the question of the conclusion of the loan agreement in question. The - possibly - purely formal separation of the decision, which is significantly influenced by the automated data processing, from the automated data processing itself, does not prevent the latter from being classified as a decision that is fundamentally prohibited against the background of Art. 22 GDPR (cf. again ECJ C purely formal separation of the The decision, which is significantly influenced by the automated data processing itself, prevents the latter from being classified as a decision that is fundamentally prohibited against the background of Article 22, GDPR, namely, do not compare again ECJ C-634/21, para. 73). The BVwG's statement that it was ensured through instructions and training that the mP consultants would not accept the results of the algorithm without question may now justify the assumption that the classification into the respective customer group does not occur exclusively on the basis of the AMAS. However, this statement does not exclude the possibility that AMAS - as an automated decision - is ultimately decisive for this classification.
81 Since the BVwG, based on its legal opinion - which is to be regarded as incorrect in the light of the ECJ ruling - does not make any statements on the exact use of the AMAS - in particular no concrete statements on the question of which other parameters are taken into account to what extent, or what procedure is used in the process Utilization of the AMAS is intended - the question of the relevance of automated processing in the present case cannot be assessed in an exhaustive legal manner.
82 5.4.3.2. If the use of AMAS falls within the scope of Article 22 Paragraph 1 GDPR, this would mean that it is prohibited unless one of the exceptions mentioned in Article 22 Paragraph 2 GDPR is applicable and the special requirements of Art. 22 Para. 3 and 4 GDPR are fulfilled. If the use of AMAS falls within the scope of Article 22, paragraph one, GDPR, this would mean that it is prohibited unless one of the exceptions mentioned in Article 22, paragraph 2, GDPR is applicable and the special requirements of Article 22, paragraph 3, and 4 GDPR are fulfilled.
83 Art. 22 Paragraph 2 Letter b GDPR contains an opening clause that allows the Union and the Member States to create legal provisions for automated decisions. The relevant Article 22, Paragraph 2, Litera b, GDPR contains an opening clause that allows the Union and the Member States to create legislation for automated decisions. However, the relevant - justifiable - national legislation would have to allow the adoption of the automated decision in individual cases and also contain appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject (cf. the ECJ's comments in C-634/21, para . 65). Furthermore, these would have to meet the requirements of Articles 5 and 6 GDPR as interpreted by the case law of the Court of Justice (cf. again ECJ C-634/21, para. 68). However, national legislation would have to allow the adoption of automated decisions in individual cases and also contain appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject (see the ECJ's comments in C-634/21, para. 65). Furthermore, these would have to meet the requirements of Articles 5 and 6 GDPR as interpreted by the case law of the Court of Justice (see again ECJ C-634/21, para. 68).
84 The AMSG now obviously does not contain any provision that would fulfill the justification requirement of Article 22 Paragraph 2 Letter b of the GDPR with regard to case-related processing - AMAS. would meet the justification requirement of Article 22, Paragraph 2, Litera b, GDPR.
85 The GDPR understands “legal basis” - and therefore also “legal provision” in Article 22, Paragraph 2, Letter b of the GDPR - and therefore also “legal provision” in Article 22, Paragraph 2, Litera b, GDPR - recital 41 not necessarily a “legislative act adopted by a parliament”. However, whether there is a legal basis for the use of AMAS that justifies this profiling and satisfies the requirements of recital 41 with regard to clarity, precision and predictability and meets the requirements of the ECJ regarding the opening clause (cf. again C-634/21, para. 65 and 68), according to recital 41, the BVwG did not necessarily mean a “legislative act adopted by a parliament”. However, whether there is a legal basis for the use of AMAS that justifies this profiling and satisfies the requirements of recital 41 with regard to clarity, precision and predictability and meets the requirements of the ECJ regarding the opening clause, see again C-634/21, paragraphs 65 and 68 ), was not adopted by the BVwG - based on the legal opinion that AMAS does not constitute an automated decision within the meaning of Article 22, Paragraph 1 of the GDPR checked.
86 5.5. According to what was said above, the appeal had to be followed in its outcome and the contested finding was due to the existence of the points under point 5.4. to annul the secondary findings shown due to the illegality of the content in accordance with Section 42 Para. 2 Z 1 VwGG. According to what was said above, the appeal had to be followed in its outcome and the contested finding was due to the existence of the points under point 5.4. to annul the secondary deficiencies in the findings due to the illegality of the content in accordance with Section 42, Paragraph 2, Number One, VwGG.
87 The BVwG will continue the proceedings in the context of an oral hearing against the background of the points under point 5.4. to discuss the legal situation with the parties and to give them the opportunity to comment or submit additional facts.
Vienna, December 21, 2023
